Описание
Security update for otrs
This update for otrs fixes the following security issues:
- CVE-2017-15864: Remote authenticated attackers could have caused otrs to disclose configuration information, including database credentials (boo#1068677, OSA-2017-06)
- CVE-2017-16664: Remote authenticated attackers could have caused the execution of shell commands with the permission of the web server user (boo#1069391, OSA-2017-07)
Список пакетов
openSUSE Leap 42.2
otrs-3.3.20-14.1
otrs-doc-3.3.20-14.1
otrs-itsm-3.3.14-14.1
openSUSE Leap 42.3
otrs-3.3.20-14.1
otrs-doc-3.3.20-14.1
otrs-itsm-3.3.14-14.1
Ссылки
- E-Mail link for openSUSE-SU-2017:3054-1
- SUSE Security Ratings
Описание
In the Agent Frontend in Open Ticket Request System (OTRS) 3.3.x through 3.3.18, with a crafted URL it is possible to gain information like database user and password.
Затронутые продукты
openSUSE Leap 42.2:otrs-3.3.20-14.1
openSUSE Leap 42.2:otrs-doc-3.3.20-14.1
openSUSE Leap 42.2:otrs-itsm-3.3.14-14.1
openSUSE Leap 42.3:otrs-3.3.20-14.1
Ссылки
- CVE-2017-15864
- SUSE Bug 1068677
Описание
Code injection exists in Kernel/System/Spelling.pm in Open Ticket Request System (OTRS) 5 before 5.0.24, 4 before 4.0.26, and 3.3 before 3.3.20. In the agent interface, an authenticated remote attacker can execute shell commands as the webserver user via URL manipulation.
Затронутые продукты
openSUSE Leap 42.2:otrs-3.3.20-14.1
openSUSE Leap 42.2:otrs-doc-3.3.20-14.1
openSUSE Leap 42.2:otrs-itsm-3.3.14-14.1
openSUSE Leap 42.3:otrs-3.3.20-14.1
Ссылки
- CVE-2017-16664
- SUSE Bug 1069391