Bug 1174830 - (CVE-2020-1776) VUL-1: CVE-2020-1776: otrs: Invalidating or changing user does not invalidate session
(CVE-2020-1776)
VUL-1: CVE-2020-1776: otrs: Invalidating or changing user does not invalidate...
Status: RESOLVED FIXED
Classification: openSUSE
Product: openSUSE Distribution
Classification: openSUSE
Component: Security
Leap 15.1
Other Other
: P4 - Low : Normal (vote)
: ---
Assigned To: Christian Wittmer
Security Team bot
https://smash.suse.de/issue/264018/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2020-08-03 14:31 UTC by Alexandros Toptsoglou
Modified: 2021-01-28 17:19 UTC (History)
0 users

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alexandros Toptsoglou 2020-08-03 14:31:54 UTC
CVE-2020-1776

When an agent user is renamed or set to invalid the session belonging to the
user is keept active. The session can not be used to access ticket data in the
case the agent is invalid. This issue affects ((OTRS)) Community Edition: 6.0.28
and prior versions. OTRS: 7.0.18 and prior versions, 8.0.4. and prior versions.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-1776
http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-1776.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1776
https://otrs.com/release-notes/otrs-security-advisory-2020-13/
Comment 1 Christian Wittmer 2020-08-03 14:54:03 UTC
ongoing work
Comment 2 OBSbugzilla Bot 2020-08-07 00:50:12 UTC
This is an autogenerated message for OBS integration:
This bug (1174830) was mentioned in
https://build.opensuse.org/request/show/824754 Factory / otrs
Comment 3 OBSbugzilla Bot 2020-08-07 01:50:11 UTC
This is an autogenerated message for OBS integration:
This bug (1174830) was mentioned in
https://build.opensuse.org/request/show/824755 15.1+15.2+Backports:SLE-15-SP1+Backports:SLE-15-SP2 / otrs
Comment 4 Alexandros Toptsoglou 2021-01-28 17:19:15 UTC
Leap 15.1 is getting EOL, Leap 15.2 is fixed