Bug 1071797 (CVE-2017-16921)

Summary: VUL-0: CVE-2017-16921: otrs: Remote code execution for authenticated users (OSA-2017-09)
Product: [openSUSE] openSUSE Distribution Reporter: Johannes Segitz <jsegitz>
Component: SecurityAssignee: Johannes Segitz <jsegitz>
Status: RESOLVED INVALID QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P3 - Medium    
Version: Leap 42.3   
Target Milestone: ---   
Hardware: Other   
OS: openSUSE Factory   
URL: https://smash.suse.de/issue/196328/
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Johannes Segitz 2017-12-07 16:17:18 UTC

An attacker who is logged into OTRS as an agent can manipulate form parameters and execute arbitrary shell commands with the permissions of the OTRS or web server user.


Comment 1 Christian Wittmer 2017-12-08 01:32:26 UTC
ongoing work
Comment 2 Christian Wittmer 2017-12-08 02:01:25 UTC
OTRS 3.3 is EOL. No security updates anymore.
User should update to 4.0.x at least.

Comment 3 Bernhard Wiedemann 2017-12-08 02:10:05 UTC
This is an autogenerated message for OBS integration:
This bug (1071797) was mentioned in
https://build.opensuse.org/request/show/555150 Factory / otrs
Comment 4 Christian Wittmer 2017-12-16 13:36:57 UTC
An OTRS 5 version is being prepared in network:otrs:Test