| Name | CVE-2017-16854 |
| Description | In Open Ticket Request System (OTRS) through 3.3.20, 4 through 4.0.26, 5 through 5.0.24, and 6 through 6.0.1, an attacker who is logged in as a customer can use the ticket search form to disclose internal article information of their customer tickets. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| References | DLA-1212-1, DSA-4066-1 |
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| otrs2 (PTS) | buster/non-free | 6.0.16-2 | fixed |
| buster/non-free (security) | 6.0.16-2+deb10u1 | fixed | |
| bullseye/non-free | 6.0.32-6 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| otrs2 | source | wheezy | 3.3.18-1~deb7u2 | DLA-1212-1 | ||
| otrs2 | source | jessie | 3.3.18-1+deb8u3 | DSA-4066-1 | ||
| otrs2 | source | stretch | 5.0.16-1+deb9u4 | DSA-4066-1 | ||
| otrs2 | source | (unstable) | 6.0.2-1 |
https://www.otrs.com/security-advisory-2017-08-security-update-otrs-framework/
https://bugs.otrs.org/show_bug.cgi?id=13347
OTRS-6: https://github.com/OTRS/otrs/commit/867aba14900f17caacb0285a08b6981bbdbbe016
OTRS-5: https://github.com/OTRS/otrs/commit/8748d040058695fda5c9cfcb2a78d8947ed4188d
OTRS-4: https://github.com/OTRS/otrs/commit/e0deab303e3d0f7c860bba291410512734f4d6b0