1213596 – (CVE-2023-38056) VUL-0: CVE-2023-38056: otrs: Improper Neutralization of commands allowed to be executed via System Configuration

Bug 1213596 (CVE-2023-38056) - VUL-0: CVE-2023-38056: otrs: Improper Neutralization of commands allowed to be executed via System Configuration

Summary: VUL-0: CVE-2023-38056: otrs: Improper Neutralization of commands allowed to b...

Status:	NEW

Alias:	CVE-2023-38056

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Major
Target Milestone:	---
Assignee:	Wolfgang Engel
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/373291/
Whiteboard:
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2023-07-24 12:20 UTC by Robert Frohl
Modified:	2023-07-24 13:15 UTC (History)
CC List:	1 user (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Robert Frohl 2023-07-24 12:20:14 UTC

CVE-2023-38056

Improper Neutralization of commands allowed to be executed via OTRS System
Configuration e.g. SchedulerCronTaskModule using UnitTests modules allows any
authenticated attacker with admin privileges local execution of Code.This issue
affects OTRS: from 7.0.X before 7.0.45, from 8.0.X before 8.0.35; ((OTRS))
Community Edition: from 6.0.1 through 6.0.34.



References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-38056
https://www.cve.org/CVERecord?id=CVE-2023-38056
https://otrs.com/release-notes/otrs-security-advisory-2023-05/

Comment 1 Robert Frohl 2023-07-24 12:21:43 UTC

affecting openSUSE:Backports:*