Bug 1226084 (CVE-2024-23793) - VUL-0: CVE-2024-23793: otrs: path traversal vulnerability in file upload feature
Summary: VUL-0: CVE-2024-23793: otrs: path traversal vulnerability in file upload feature
Status: RESOLVED WONTFIX
Alias: CVE-2024-23793
Product: openSUSE Distribution
Classification: openSUSE
Component: Security (show other bugs)
Version: Leap 15.6
Hardware: Other Other
: P3 - Medium : Normal (vote)
Target Milestone: ---
Assignee: Christian Wittmer
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/408942/
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2024-06-07 10:28 UTC by SMASH SMASH
Modified: 2024-06-07 13:27 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description SMASH SMASH 2024-06-07 10:28:31 UTC 
The file upload feature in OTRS and ((OTRS)) Community Edition has a path traversal vulnerability. This issue permits authenticated agents or customer users to upload potentially harmful files to directories accessible by the web server, potentially leading to the execution of local code like Perl scripts.
This issue affects OTRS: from 7.0.X through 7.0.49, 8.0.X, 2023.X, from 2024.X through 2024.3.2; ((OTRS)) Community Edition: from 6.0.1 through 6.0.34.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-23793
https://www.cve.org/CVERecord?id=CVE-2024-23793
https://otrs.com/release-notes/otrs-security-advisory-2024-05/
Comment 1 Andrea Mattiazzo 2024-06-07 10:29:55 UTC 
Affected:
- openSUSE:Backports:SLE-15-SP5/otrs  6.0.30
- openSUSE:Backports:SLE-15-SP6/otrs  6.0.30
Comment 2 Christian Wittmer 2024-06-07 13:27:01 UTC 
OTRS 6.0.x is EOL ... hence won't fix.

Migrate to:
https://otobo.io/de/community/

Repos are here:
http://download.opensuse.org/repositories/Application:/ITS:/otobo/