Bug 1109823 (CVE-2018-16587)

Summary: VUL-0: CVE-2018-16587: otrs: Remote File Deletion (OSA-2018-04)
Product: [openSUSE] openSUSE Distribution Reporter: Andreas Stieger <astieger>
Component: SecurityAssignee: Christian Wittmer <chris>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium    
Version: Leap 15.0   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/215507/
Whiteboard: CVSSv2:NVD:CVE-2018-14242:6.8:(AV:N/AC:M/Au:N/C:P/I:P/A:P)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Andreas Stieger 2018-09-26 11:26:56 UTC
https://community.otrs.com/security-advisory-2018-04-security-update-for-otrs-framework/

Title: Remote File Deletion
Severity: 5.6. Medium
Product: OTRS 6.0.x, OTRS 5.0.x, OTRS 4.0.x
Fixed in: OTRS 6.0.11, OTRS 5.0.30, OTRS 4.0.32
FULL CVSS v3 VECTOR: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:P/RL:O/RC:R
References: CVE-2018-16587

An attacker could send a malicious email to an OTRS system. If a user with admin permissions opens it, it causes deletions of arbitrary files that the OTRS web server user has write access to.

Affected by this vulnerability are all releases of OTRS 6.0.x up to and including 6.0.10, OTRS 5.0.x up to and including 5.0.29, and OTRS 4.0.x up to and including 4.0.31.

This vulnerability is fixed in the latest versions of OTRS, and it is recommended to upgrade to the latest patch level.

Fixed releases can be found at:

    https://www.otrs.com/category/release-and-security-notes-en/

Detailed information about the changes:

    OTRS 6: https://github.com/OTRS/otrs/commit/a4a1a01f84fac7ab032570ee50b660e2ebb15c01
    OTRS 5: https://github.com/OTRS/otrs/commit/d9db0c6a15caafda7689320ecf61777993c33711
    OTRS 4: https://github.com/OTRS/otrs/commit/d8cae00b0f78c2a07bb10cedb817304139395843


Thanks to Francesco Sirocco for discovering and reporting this issue.


References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-16587
http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-16587.html
Comment 1 Christian Wittmer 2018-09-26 13:31:58 UTC
ongoing work ...
Comment 2 Swamp Workflow Management 2018-09-26 17:30:14 UTC
This is an autogenerated message for OBS integration:
This bug (1109823) was mentioned in
https://build.opensuse.org/request/show/638524 Factory / otrs
Comment 3 Swamp Workflow Management 2018-09-26 18:30:18 UTC
This is an autogenerated message for OBS integration:
This bug (1109823) was mentioned in
https://build.opensuse.org/request/show/638542 15.0+Backports:SLE-15 / otrs
Comment 4 Swamp Workflow Management 2018-10-04 16:26:06 UTC
openSUSE-SU-2018:3005-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1103800,1109822,1109823
CVE References: CVE-2018-14593,CVE-2018-16586,CVE-2018-16587
Sources used:
openSUSE Leap 15.0 (src):    otrs-4.0.32-lp150.2.3.1
openSUSE Backports SLE-15 (src):    otrs-4.0.32-bp150.3.3.1
Comment 5 Marcus Meissner 2018-10-04 18:19:50 UTC
released