Vulnerability CVE-2019-18179

Vulnerability Name:

CVE-2019-18179 (CCN-174113)

Assigned:

2019-11-15

Published:

2019-11-15

Updated:

2022-05-03

Summary:

An issue was discovered in Open Ticket Request System (OTRS) 7.0.x through 7.0.12, and Community Edition 5.0.x through 5.0.38 and 6.0.x through 6.0.23. An attacker who is logged into OTRS as an agent is able to list tickets assigned to other agents, even tickets in a queue where the attacker doesn't have permissions.

CVSS v3 Severity:

4.3 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)
3.8 Low (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): Low User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): Low Integrity (I): None Availibility (A): None

3.5 Low (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N)
3.1 Low (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): Low User Interaction (UI): Required
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): Low Integrity (I): None Availibility (A): None

CVSS v2 Severity:

4.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:N/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Authentication (Au): Single_Instance
Impact Metrics:	Confidentiality (C): Partial Integrity (I): None Availibility (A): None

4.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:N/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): Single_Instance
Impact Metrics:	Confidentiality (C): Partial Integrity (I): None Availibility (A): None

Vulnerability Type:

CWE-noinfo

Vulnerability Consequences:

Obtain Information

References:

Source: MITRE
Type: CNA
CVE-2019-18179

Source: SUSE
Type: Mailing List, Third Party Advisory
openSUSE-SU-2020:0551

Source: SUSE
Type: Mailing List, Third Party Advisory
openSUSE-SU-2020:1475

Source: SUSE
Type: Mailing List, Third Party Advisory
openSUSE-SU-2020:1509

Source: CCN
Type: OTRS Web site
Security Advisory 2019-14: Security Update for OTRS Framework

Source: MISC
Type: Patch, Vendor Advisory
https://community.otrs.com/security-advisory-2019-14-security-update-for-otrs-framework/

Source: XF
Type: UNKNOWN
otrs-cve201918179-info-disc(174113)

Source: MLIST
Type: Mailing List, Third Party Advisory
[debian-lts-announce] 20200101 [SECURITY] [DLA 2053-1] otrs2 security update

Vulnerable Configuration:

Configuration 1:

cpe:/a:otrs:otrs:*:*:*:*:community:*:*:* (Version >= 5.0.0 and <= 5.0.38)

OR cpe:/a:otrs:otrs:*:*:*:*:community:*:*:* (Version >= 6.0.0 and <= 6.0.23)

OR cpe:/a:otrs:otrs:*:*:*:*:*:*:*:* (Version >= 7.0.0 and <= 7.0.12)

Configuration 2:

cpe:/o:debian:debian_linux:8.0:*:*:*:*:*:*:*

Configuration 3:

cpe:/a:opensuse:backports_sle:15.0:-:*:*:*:*:*:*

OR cpe:/a:opensuse:backports_sle:15.0:sp1:*:*:*:*:*:*

OR cpe:/a:opensuse:backports_sle:15.0:sp2:*:*:*:*:*:*

OR cpe:/o:opensuse:leap:15.1:*:*:*:*:*:*:*

OR cpe:/o:opensuse:leap:15.2:*:*:*:*:*:*:*

Configuration CCN 1:

cpe:/a:otrs:otrs:7.0.12:*:*:*:*:*:*:*

OR cpe:/a:otrs:otrs:5.0.38:*:*:*:community:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:201918179	V	CVE-2019-18179	2022-05-22
oval:org.opensuse.security:def:93594	P	(Moderate)	2021-12-23
oval:org.opensuse.security:def:64827	P	Security update for xorg-x11-server (Important)	2021-12-21
oval:org.opensuse.security:def:64638	P	Security update for postgresql10 (Important)	2021-12-14
oval:org.opensuse.security:def:64618	P	Security update for postgresql13 (Important)	2021-11-22
oval:org.opensuse.security:def:64617	P	Security update for postgresql14 (Important)	2021-11-22
oval:org.opensuse.security:def:64580	P	Security update for gd (Moderate)	2021-09-27
oval:org.opensuse.security:def:64750	P	Security update for dbus-1 (Moderate)	2021-08-23
oval:org.opensuse.security:def:63337	P	libct4-1.1.36-3.3.1 on GA media (Moderate)	2021-08-10
oval:org.opensuse.security:def:63102	P	reiserfs-kmp-default-5.3.18-57.3 on GA media (Moderate)	2021-08-10
oval:org.opensuse.security:def:63326	P	erlang-rabbitmq-client-3.8.11-1.26 on GA media (Moderate)	2021-08-10
oval:org.opensuse.security:def:63475	P	graphviz-gnome-2.40.1-6.6.8 on GA media (Moderate)	2021-08-10
oval:org.opensuse.security:def:62827	P	python3-cupshelpers-1.5.7-6.27 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:62823	P	perl-MIME-Charset-1.012.2-1.24 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:63033	P	perl-DNS-LDNS-1.7.0-4.3.1 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:62830	P	spice-vdagent-0.20.0-1.51 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:64885	P	Security update for containerd (Moderate)	2021-07-20
oval:org.opensuse.security:def:100307	P	(Important)	2021-07-12
oval:org.opensuse.security:def:64725	P	Security update for the Linux Kernel (Important)	2021-06-28
oval:org.opensuse.security:def:64524	P	Security update for ucode-intel (Important)	2021-06-10
oval:org.opensuse.security:def:63529	P	bluez-cups-5.48-3.7 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:62856	P	jython-2.2.1-4.36 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:62855	P	guile-2.0.14-3.18 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:63077	P	pam-modules-12.1-3.17 on GA media (Moderate)	2021-04-29
oval:org.opensuse.security:def:63074	P	libopenssl-1_0_0-devel-1.0.2p-3.14.2 on GA media (Moderate)	2021-04-29
oval:org.opensuse.security:def:63070	P	java-10-openjdk-10.0.2.0-3.3.3 on GA media (Moderate)	2021-04-29
oval:org.opensuse.security:def:64481	P	Security update for giflib (Low)	2021-04-28
oval:org.opensuse.security:def:64478	P	Security update for apache-commons-io (Moderate)	2021-04-20
oval:org.opensuse.security:def:74692	P	Security update for rpmlint (Moderate)	2021-02-25
oval:org.opensuse.security:def:63135	P	clamsap-0.99.25-2.37 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:62655	P	libXinerama1-32bit-1.1.3-1.22 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:62679	P	liblouis-data-3.11.0-1.42 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:62656	P	libXp6-32bit-1.0.3-1.24 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:63573	P	freerdp-2.0.0~rc4-8.4 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:63280	P	libsaml-devel-2.6.1-1.31 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:74825	P	Recommended update for otrs (Moderate)	2020-12-01
oval:org.opensuse.security:def:63676	P	Security update for sqlite3 (Moderate)	2020-12-01
oval:org.opensuse.security:def:64412	P	libzmq5 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:64371	P	libpoppler-cpp0 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:64152	P	Security update for samba (Important)	2020-12-01
oval:org.opensuse.security:def:75072	P	Recommended update for otrs (Moderate)	2020-12-01
oval:org.opensuse.security:def:64162	P	Security update for libvirt (Important)	2020-12-01
oval:org.opensuse.security:def:63923	P	Security update for ghostscript (Important)	2020-12-01
oval:org.opensuse.security:def:74939	P	Security update for slurm (Important)	2020-12-01
oval:org.opensuse.security:def:64028	P	Security update for mozilla-nspr, mozilla-nss (Moderate)	2020-12-01
oval:org.opensuse.security:def:63776	P	Security update for qemu (Important)	2020-12-01
oval:org.opensuse.security:def:64997	P	Security update for targetcli-fb (Moderate)	2020-12-01
oval:org.opensuse.security:def:64370	P	libpolkit0 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:63701	P	Security update for java-1_7_0-openjdk (Moderate)	2020-12-01
oval:org.opensuse.security:def:74590	P	Recommended update for otrs (Moderate)	2020-12-01
oval:org.opensuse.security:def:64268	P	Security update for xorg-x11-server (Important)	2020-12-01
oval:org.opensuse.security:def:64234	P	cups-filters on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:74464	P	Security update for haproxy (Moderate)	2020-12-01
oval:org.opensuse.security:def:63905	P	Security update for freeradius-server (Moderate)	2020-12-01
oval:org.opensuse.security:def:100233	P	(Moderate)	2020-10-13
oval:org.opensuse.security:def:109712	P	Recommended update for otrs (Moderate)	2020-09-23
oval:org.opensuse.security:def:96365	P	Recommended update for otrs (Moderate)	2020-09-23
oval:org.opensuse.security:def:103055	P	Recommended update for otrs (Moderate)	2020-09-23
oval:org.opensuse.security:def:110767	P	Recommended update for otrs (Moderate)	2020-09-20
oval:org.opensuse.security:def:109708	P	Recommended update for otrs (Moderate)	2020-09-20
oval:org.opensuse.security:def:96361	P	Recommended update for otrs (Moderate)	2020-09-20
oval:org.opensuse.security:def:110214	P	Recommended update for otrs (Moderate)	2020-09-20
oval:org.opensuse.security:def:103051	P	Recommended update for otrs (Moderate)	2020-09-20
oval:org.opensuse.security:def:93520	P	Recommended update for otrs (Moderate)	2020-09-20
oval:org.opensuse.security:def:110487	P	Recommended update for otrs (Moderate)	2020-04-25
oval:com.ubuntu.disco:def:2019181790000000	V	CVE-2019-18179 on Ubuntu 19.04 (disco) - medium.	2020-01-06
oval:com.ubuntu.bionic:def:2019181790000000	V	CVE-2019-18179 on Ubuntu 18.04 LTS (bionic) - medium.	2020-01-06
oval:com.ubuntu.xenial:def:2019181790000000	V	CVE-2019-18179 on Ubuntu 16.04 LTS (xenial) - medium.	2020-01-06

BACK