Bug 1109823 – VUL-0: CVE-2018-16587: otrs: Remote File Deletion (OSA-2018-04)

Bug 1109823 - (CVE-2018-16587) VUL-0: CVE-2018-16587: otrs: Remote File Deletion (OSA-2018-04)

(CVE-2018-16587)
Summary:	VUL-0: CVE-2018-16587: otrs: Remote File Deletion (OSA-2018-04)

Status:	RESOLVED FIXED

Classification:	openSUSE
Product:	openSUSE Distribution
Classification:	openSUSE
Component:	Security
Version:	Leap 15.0
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal (vote)
Target Milestone:	---
Assigned To:	Christian Wittmer
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/215507/
Whiteboard:	CVSSv2:NVD:CVE-2018-14242:6.8:(AV:N/...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2018-09-26 11:26 UTC by Andreas Stieger
Modified:	2018-10-04 18:19 UTC (History)
CC List:	0 users

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Andreas Stieger 2018-09-26 11:26:56 UTC

https://community.otrs.com/security-advisory-2018-04-security-update-for-otrs-framework/

Title: Remote File Deletion
Severity: 5.6. Medium
Product: OTRS 6.0.x, OTRS 5.0.x, OTRS 4.0.x
Fixed in: OTRS 6.0.11, OTRS 5.0.30, OTRS 4.0.32
FULL CVSS v3 VECTOR: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:P/RL:O/RC:R
References: CVE-2018-16587

An attacker could send a malicious email to an OTRS system. If a user with admin permissions opens it, it causes deletions of arbitrary files that the OTRS web server user has write access to.

Affected by this vulnerability are all releases of OTRS 6.0.x up to and including 6.0.10, OTRS 5.0.x up to and including 5.0.29, and OTRS 4.0.x up to and including 4.0.31.

This vulnerability is fixed in the latest versions of OTRS, and it is recommended to upgrade to the latest patch level.

Fixed releases can be found at:

    https://www.otrs.com/category/release-and-security-notes-en/

Detailed information about the changes:

    OTRS 6: https://github.com/OTRS/otrs/commit/a4a1a01f84fac7ab032570ee50b660e2ebb15c01
    OTRS 5: https://github.com/OTRS/otrs/commit/d9db0c6a15caafda7689320ecf61777993c33711
    OTRS 4: https://github.com/OTRS/otrs/commit/d8cae00b0f78c2a07bb10cedb817304139395843


Thanks to Francesco Sirocco for discovering and reporting this issue.


References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-16587
http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-16587.html

Comment 1 Christian Wittmer 2018-09-26 13:31:58 UTC

ongoing work ...

Comment 2 Swamp Workflow Management 2018-09-26 17:30:14 UTC

This is an autogenerated message for OBS integration:
This bug (1109823) was mentioned in
https://build.opensuse.org/request/show/638524 Factory / otrs

Comment 3 Swamp Workflow Management 2018-09-26 18:30:18 UTC

This is an autogenerated message for OBS integration:
This bug (1109823) was mentioned in
https://build.opensuse.org/request/show/638542 15.0+Backports:SLE-15 / otrs

Comment 4 Swamp Workflow Management 2018-10-04 16:26:06 UTC

openSUSE-SU-2018:3005-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1103800,1109822,1109823
CVE References: CVE-2018-14593,CVE-2018-16586,CVE-2018-16587
Sources used:
openSUSE Leap 15.0 (src):    otrs-4.0.32-lp150.2.3.1
openSUSE Backports SLE-15 (src):    otrs-4.0.32-bp150.3.3.1

Comment 5 Marcus Meissner 2018-10-04 18:19:50 UTC

released