CVE-2018-7567

NameCVE-2018-7567
Description** DISPUTED ** In the Admin Package Manager in Open Ticket Request System (OTRS) 5.0.0 through 5.0.24 and 6.0.0 through 6.0.1, authenticated admins are able to exploit a Blind Remote Code Execution vulnerability by loading a crafted opm file with an embedded CodeInstall element to execute a command on the server during package installation. NOTE: the vendor disputes this issue stating "the behaviour is as designed and needed for different packages to be installed", "there is a security warning if the package is not verified by OTRS Group", and "there is the possibility and responsibility of an admin to check packages before installation which is possible as they are not binary."
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severityhigh (attack range: remote)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
otrs2 (PTS)stretch/non-free (security), stretch/non-free5.0.16-1+deb9u6vulnerable
buster/non-free, sid/non-free6.0.14-1vulnerable
jessie3.3.18-1+deb8u4vulnerable
jessie (security)3.3.18-1+deb8u7vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
otrs2source(unstable)(unfixed)unimportant

Notes

PoC https://0day.today/exploit/29938
Admin Package Manager works as designed and warns if a package is beeing
installed which is not verified by the OTRS Group. Responsiblity of the
respective admin to check packages before installation.

Search for package or bug name: Reporting problems