CVE-2017-17476

NameCVE-2017-17476
DescriptionOpen Ticket Request System (OTRS) 4.0.x before 4.0.28, 5.0.x before 5.0.26, and 6.0.x before 6.0.3, when cookie support is disabled, might allow remote attackers to hijack web sessions and consequently gain privileges via a crafted email.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-1215-1, DSA-4069-1
NVD severitymedium (attack range: remote)
Debian Bugs884801

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
otrs2 (PTS)stretch/non-free (security), stretch/non-free5.0.16-1+deb9u6fixed
buster/non-free, sid/non-free6.0.14-1fixed
jessie3.3.18-1+deb8u4fixed
jessie (security)3.3.18-1+deb8u7fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
otrs2source(unstable)6.0.3-1medium884801
otrs2sourcejessie3.3.18-1+deb8u4mediumDSA-4069-1
otrs2sourcestretch5.0.16-1+deb9u5mediumDSA-4069-1
otrs2sourcewheezy3.3.18-1~deb7u3mediumDLA-1215-1

Notes

https://www.otrs.com/security-advisory-2017-10-security-update-otrs-framework/
OTRS-6: https://github.com/OTRS/otrs/commit/36e3be99cfe8a9e09afa1b75fdc39f3e28f561fc
OTRS-5: https://github.com/OTRS/otrs/commit/720c73fbf53e476ca7dfdf2ae1d4d3d2aad2b953
OTRS-4: https://github.com/OTRS/otrs/commit/26707eaaa791648e6c7ad6aeaa27efd70e7c66eb

Search for package or bug name: Reporting problems