CVE-2014-9324

NameCVE-2014-9324
DescriptionThe GenericInterface in OTRS Help Desk 3.2.x before 3.2.17, 3.3.x before 3.3.11, and 4.0.x before 4.0.3 allows remote authenticated users to access and modify arbitrary tickets via unspecified vectors.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, GitHub code/issues, web search, more)
ReferencesDSA-3124-1
NVD severitymedium (attack range: remote)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
otrs2 (PTS)stretch/non-free (security), stretch/non-free5.0.16-1+deb9u3fixed
sid/non-free, buster/non-free6.0.2-1fixed
wheezy3.1.7+dfsg1-8+deb7u5fixed
wheezy (security)3.3.18-1~deb7u1fixed
jessie (security), jessie3.3.18-1+deb8u2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
otrs2source(unstable)3.3.9-3medium
otrs2sourcesqueeze(not affected)
otrs2sourcewheezy3.1.7+dfsg1-8+deb7u5mediumDSA-3124-1

Notes

[squeeze] - otrs2 <not-affected> (Problematic module got introduced later)
https://www.otrs.com/security-advisory-2014-06-incomplete-access-control/
Fix for 3.1.x: https://github.com/OTRS/otrs/commit/3058438a372db0d1a11c365d48a5fc7b1db24e90

Search for package or bug name: Reporting problems