Bug 1226084 (CVE-2024-23793)

Summary: VUL-0: CVE-2024-23793: otrs: path traversal vulnerability in file upload feature
Product: [openSUSE] openSUSE Distribution Reporter: SMASH SMASH <smash_bz>
Component: SecurityAssignee: Christian Wittmer <chris>
Status: RESOLVED WONTFIX QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: andrea.mattiazzo
Version: Leap 15.6   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/408942/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description SMASH SMASH 2024-06-07 10:28:31 UTC 
The file upload feature in OTRS and ((OTRS)) Community Edition has a path traversal vulnerability. This issue permits authenticated agents or customer users to upload potentially harmful files to directories accessible by the web server, potentially leading to the execution of local code like Perl scripts.
This issue affects OTRS: from 7.0.X through 7.0.49, 8.0.X, 2023.X, from 2024.X through 2024.3.2; ((OTRS)) Community Edition: from 6.0.1 through 6.0.34.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-23793
https://www.cve.org/CVERecord?id=CVE-2024-23793
https://otrs.com/release-notes/otrs-security-advisory-2024-05/
Comment 1 Andrea Mattiazzo 2024-06-07 10:29:55 UTC 
Affected:
- openSUSE:Backports:SLE-15-SP5/otrs  6.0.30
- openSUSE:Backports:SLE-15-SP6/otrs  6.0.30
Comment 2 Christian Wittmer 2024-06-07 13:27:01 UTC 
OTRS 6.0.x is EOL ... hence won't fix.

Migrate to:
https://otobo.io/de/community/

Repos are here:
http://download.opensuse.org/repositories/Application:/ITS:/otobo/