| Name | CVE-2017-15864 |
| Description | In the Agent Frontend in Open Ticket Request System (OTRS) 3.3.x through 3.3.18, with a crafted URL it is possible to gain information like database user and password. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| References | DLA-1212-1 |
Vulnerable and fixed packages
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|
| otrs2 (PTS) | buster/non-free | 6.0.16-2 | fixed |
| buster/non-free (security) | 6.0.16-2+deb10u1 | fixed |
| bullseye/non-free | 6.0.32-6 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|
| otrs2 | source | wheezy | 3.3.18-1~deb7u2 | | DLA-1212-1 | |
| otrs2 | source | jessie | 3.3.18-1+deb8u2 | | | |
| otrs2 | source | (unstable) | 4.0.7-2 | | | |
Notes
https://www.otrs.com/security-advisory-2017-06-security-update-otrs-3-3/
https://github.com/OTRS/otrs/compare/3bc58ebeb9bdbe8107251a03cf7b9b8cfc515f53...80a0a9a138278d63a2621d146eb3c29e982aa2d5
Root cause for the issue is the recursive parsing handling in the old
DTL template engine that OTRS used up to OTRS 3.3. Starting with OTRS 4
OTRS switched to a new Template::Toolkit based engine which does not perform
recursive parsing and not affected by this issue.