Bug 1109822 (CVE-2018-16586)

Summary: VUL-1: CVE-2018-16586: otrs: Loading External Image or CSS Resources (OSA-2018-05)
Product: [openSUSE] openSUSE Distribution Reporter: Andreas Stieger <astieger>
Component: SecurityAssignee: Christian Wittmer <chris>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Minor    
Priority: P4 - Low    
Version: Leap 15.0   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/215505/
Whiteboard: CVSSv2:NVD:CVE-2018-11623:6.8:(AV:N/AC:M/Au:N/C:P/I:P/A:P)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Andreas Stieger 2018-09-26 11:21:45 UTC
https://community.otrs.com/security-advisory-2018-05-security-update-for-otrs-framework/

Severity: 3.7. low
Product: OTRS 6.0.x, OTRS 5.0.x, OTRS 4.0.x
Fixed in: OTRS 6.0.11, OTRS 5.0.30, OTRS 4.0.32
FULL CVSS v3 VECTOR: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:R
References: CVE-2018-16586
 
An attacker could send a malicious email to an OTRS system. If a user with admin permissions opens it, it causes deletions of arbitrary files that the OTRS web server user has write access to.

Affected by this vulnerability are all releases of OTRS 6.0.x up to and including 6.0.10, OTRS 5.0.x up to and including 5.0.29, and OTRS 4.0.x up to and including 4.0.31.

This vulnerability is fixed in the latest versions of OTRS, and it is recommended to upgrade to the latest patch level.

Fixed releases can be found at:

    https://www.otrs.com/category/release-and-security-notes-en/

Detailed information about the changes:

    OTRS 6: https://github.com/OTRS/otrs/commit/09e80c7752b0d9080688e4597c7495dd109e0963
    OTRS 5: https://github.com/OTRS/otrs/commit/a808859a75c59ae3b7568f5cc4708c53462aa4c7
    OTRS 4: https://github.com/OTRS/otrs/commit/baa92df09145b8ae2702a3a0e85d8ba55ec96302


References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-16586
http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-16586.html
Comment 1 Christian Wittmer 2018-09-26 13:31:38 UTC
ongoing work ...
Comment 2 Swamp Workflow Management 2018-09-26 17:30:10 UTC
This is an autogenerated message for OBS integration:
This bug (1109822) was mentioned in
https://build.opensuse.org/request/show/638524 Factory / otrs
Comment 3 Swamp Workflow Management 2018-09-26 18:30:14 UTC
This is an autogenerated message for OBS integration:
This bug (1109822) was mentioned in
https://build.opensuse.org/request/show/638542 15.0+Backports:SLE-15 / otrs
Comment 4 Swamp Workflow Management 2018-10-04 16:25:58 UTC
openSUSE-SU-2018:3005-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1103800,1109822,1109823
CVE References: CVE-2018-14593,CVE-2018-16586,CVE-2018-16587
Sources used:
openSUSE Leap 15.0 (src):    otrs-4.0.32-lp150.2.3.1
openSUSE Backports SLE-15 (src):    otrs-4.0.32-bp150.3.3.1
Comment 5 Marcus Meissner 2018-10-04 18:19:42 UTC
released