Release Note
OTRS Security Advisory 2023-03
Please read carefully and check if the version of your OTRS system is affected by this vulnerability.
Please send information regarding vulnerabilities in OTRS to: security@otrs.org
PGP Key
- pub 2048R/9C227C6B 2011-03-21
- uid OTRS Security Team <security@otrs.org>
- GPG Fingerprint E330 4608 DA6E 34B7 1551 C244 7F9E 44E9 9C22 7C6B
Security Advisory Details
- ID: OSA-2023-03
- Date: 2023-05-08
- Title: Information disclouse and DoS via websocket push events
- Severity: 7.6 HIGH
- Product: OTRS 8.0.x
- Fixed in: OTRS 8.0.32
- FULL CVSS v3.1 VECTOR: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L
- References: CVE-2023-2534
OSA-2023-03 Information disclouse and DoS via websocket push events (CVE-2023-2534)
Improper Authorization vulnerability in OTRS AG OTRS 8 (Websocket API backend) allows any as Agent authenticated attacker to track user behaviour and to gain live insight into overall system usage. User IDs can easily be correlated with real names e. g. via
ticket histories by any user. (Fuzzing for garnering other adjacent user/sensitive data). Subscribing to all possible push events could also lead to performance implications on the server side, depending on the size of the installation
and the number of active users. (Flooding)
PRODUCT AFFECTED:
This issue affects
PROBLEM:
Impact:
Product Status
Product | Affected |
OTRS AG OTRS » Websocket API
Default status is affected |
from 8.0.x before 8.0.32 |
SOLUTION:
MODIFICATION HISTORY:
- —
RELATED LINKS:
CVSS SCORE:
CVSS v3.1 VECTOR: CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N
RISK LEVEL:
HIGH