DescriptionDoS attack can be performed when an email contains specially designed URL in the body. It can lead to the high CPU usage and cause low quality of service, or in extreme case bring the system to a halt. This issue affects: OTRS AG ((OTRS)) Community Edition 6.0.x version 6.0.1 and later versions. OTRS AG OTRS 7.0.x version 7.0.26 and prior versions; 8.0.x version 8.0.13 and prior versions.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs989992

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
otrs2 (PTS)buster/non-free6.0.16-2vulnerable
buster/non-free (security)6.0.16-2+deb10u1fixed
znuny (PTS)bookworm/non-free6.5.1-1fixed
trixie/non-free, sid/non-free6.5.8-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
znunysource(unstable)(not affected)


[stretch] - otrs2 <no-dsa> (Non-free not supported)
- znuny <not-affected> (Fixed before initial upload to Debian)
Fixed by: (rel-6_0_33)

Search for package or bug name: Reporting problems