| Name | CVE-2017-14635 |
| Description | In Open Ticket Request System (OTRS) 3.3.x before 3.3.18, 4.x before 4.0.25, and 5.x before 5.0.23, remote authenticated users can leverage statistics-write permissions to gain privileges via code injection. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| References | DLA-1119-1, DSA-4021-1 |
| Debian Bugs | 876462 |
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| otrs2 (PTS) | buster/non-free | 6.0.16-2 | fixed |
| buster/non-free (security) | 6.0.16-2+deb10u1 | fixed | |
| bullseye/non-free | 6.0.32-6 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| otrs2 | source | wheezy | 3.3.18-1~deb7u1 | DLA-1119-1 | ||
| otrs2 | source | jessie | 3.3.18-1+deb8u1 | DSA-4021-1 | ||
| otrs2 | source | stretch | 5.0.16-1+deb9u2 | DSA-4021-1 | ||
| otrs2 | source | (unstable) | 5.0.23-1 | 876462 |
https://github.com/OTRS/otrs/commit/a4093dc404fcbd87b235b31c72913141672f2a85 (rel-5_0)
https://github.com/OTRS/otrs/commit/00bcc89dc2443b5d8b34a0908e224373926aa618 (rel-5_0)
https://github.com/OTRS/otrs/commit/b69c2533c951fa72bfe238f255ce76352f054897 (rel-5_0)
https://github.com/OTRS/otrs/commit/b92ec17196ac3e1fdcab40fbb16dbb602d5d52b5 (rel-5_0)
https://github.com/OTRS/otrs/commit/3ccc426ec220267d0cac8e3fdc39015a3db7d720 (rel-3_3)
https://github.com/OTRS/otrs/commit/f27dc65e4a937ba832d60e212ce6c9e3a28e406b (rel-3_3)
https://github.com/OTRS/otrs/commit/454c50116c2bf82dcd9dfee9146a7416be686875 (rel-3_3)
https://github.com/OTRS/otrs/commit/5468720cc8225a85699b1977ff230adbf9f8362d (rel-3_3)
https://github.com/OTRS/otrs/commit/0583dfda7bc9c7d76457aad68083f4b28a288ce5 (rel-3_3)
https://www.otrs.com/security-advisory-2017-04-security-update-otrs-versions/