Bug 1109823 - (CVE-2018-16587) VUL-0: CVE-2018-16587: otrs: Remote File Deletion (OSA-2018-04)
(CVE-2018-16587)
VUL-0: CVE-2018-16587: otrs: Remote File Deletion (OSA-2018-04)
Status: RESOLVED FIXED
Classification: openSUSE
Product: openSUSE Distribution
Classification: openSUSE
Component: Security
Leap 15.0
Other Other
: P3 - Medium : Normal (vote)
: ---
Assigned To: Christian Wittmer
Security Team bot
https://smash.suse.de/issue/215507/
CVSSv2:NVD:CVE-2018-14242:6.8:(AV:N/...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-09-26 11:26 UTC by Andreas Stieger
Modified: 2018-10-04 18:19 UTC (History)
0 users

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Stieger 2018-09-26 11:26:56 UTC
https://community.otrs.com/security-advisory-2018-04-security-update-for-otrs-framework/

Title: Remote File Deletion
Severity: 5.6. Medium
Product: OTRS 6.0.x, OTRS 5.0.x, OTRS 4.0.x
Fixed in: OTRS 6.0.11, OTRS 5.0.30, OTRS 4.0.32
FULL CVSS v3 VECTOR: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:P/RL:O/RC:R
References: CVE-2018-16587

An attacker could send a malicious email to an OTRS system. If a user with admin permissions opens it, it causes deletions of arbitrary files that the OTRS web server user has write access to.

Affected by this vulnerability are all releases of OTRS 6.0.x up to and including 6.0.10, OTRS 5.0.x up to and including 5.0.29, and OTRS 4.0.x up to and including 4.0.31.

This vulnerability is fixed in the latest versions of OTRS, and it is recommended to upgrade to the latest patch level.

Fixed releases can be found at:

    https://www.otrs.com/category/release-and-security-notes-en/

Detailed information about the changes:

    OTRS 6: https://github.com/OTRS/otrs/commit/a4a1a01f84fac7ab032570ee50b660e2ebb15c01
    OTRS 5: https://github.com/OTRS/otrs/commit/d9db0c6a15caafda7689320ecf61777993c33711
    OTRS 4: https://github.com/OTRS/otrs/commit/d8cae00b0f78c2a07bb10cedb817304139395843


Thanks to Francesco Sirocco for discovering and reporting this issue.


References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-16587
http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-16587.html
Comment 1 Christian Wittmer 2018-09-26 13:31:58 UTC
ongoing work ...
Comment 2 Swamp Workflow Management 2018-09-26 17:30:14 UTC
This is an autogenerated message for OBS integration:
This bug (1109823) was mentioned in
https://build.opensuse.org/request/show/638524 Factory / otrs
Comment 3 Swamp Workflow Management 2018-09-26 18:30:18 UTC
This is an autogenerated message for OBS integration:
This bug (1109823) was mentioned in
https://build.opensuse.org/request/show/638542 15.0+Backports:SLE-15 / otrs
Comment 4 Swamp Workflow Management 2018-10-04 16:26:06 UTC
openSUSE-SU-2018:3005-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1103800,1109822,1109823
CVE References: CVE-2018-14593,CVE-2018-16586,CVE-2018-16587
Sources used:
openSUSE Leap 15.0 (src):    otrs-4.0.32-lp150.2.3.1
openSUSE Backports SLE-15 (src):    otrs-4.0.32-bp150.3.3.1
Comment 5 Marcus Meissner 2018-10-04 18:19:50 UTC
released