Release Note

OTRS Security Advisory 2023-03

Please read carefully and check if the version of your OTRS system is affected by this vulnerability.

Please send information regarding vulnerabilities in OTRS to: security@otrs.org

PGP Key

  • pub 2048R/9C227C6B 2011-03-21
  • uid OTRS Security Team <security@otrs.org>
  • GPG Fingerprint E330 4608 DA6E 34B7 1551 C244 7F9E 44E9 9C22 7C6B

Security Advisory Details

  • ID: OSA-2023-03
  • Date: 2023-05-08
  • Title: Information disclouse and DoS via websocket push events
  • Severity: 7.6 HIGH
  • Product: OTRS 8.0.x
  • Fixed in: OTRS 8.0.32
  • FULL CVSS v3.1 VECTOR: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L
  • References: CVE-2023-2534

OSA-2023-03 Information disclouse and DoS via websocket push events (CVE-2023-2534)

Improper Authorization vulnerability in OTRS AG OTRS 8 (Websocket API backend) allows any as Agent authenticated attacker to track user behaviour and to gain live insight into overall system usage. User IDs can easily be correlated with real names e. g. via
ticket histories by any user. (Fuzzing for garnering other adjacent user/sensitive data). Subscribing to all possible push events could also lead to performance implications on the server side, depending on the size of the installation
and the number of active users. (Flooding)

PRODUCT AFFECTED:

This issue affects

OTRS: from 8.0.X before 8.0.32.

PROBLEM:

CWE-285 Improper Authorization CWE-285

Impact:

CAPEC-261 Fuzzing for garnering other adjacent user/sensitive data CAPEC-261
CAPEC-125 Flooding CAPEC-125

Product Status

Product Affected
OTRS AG OTRS » Websocket API

Default status is affected

from 8.0.x before 8.0.32

SOLUTION:

Update to OTRS 8.0.32

MODIFICATION HISTORY:

CVSS SCORE:

CVSS v3.1 VECTOR: CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N

RISK LEVEL:

HIGH

ACKNOWLEDGEMENTS:

Special thanks to Maximilian Gutwein for reporting these vulnerability.

Release Details

  • Release:
    OTRS Security Advisory 2023-03
  • Release date:
    05/08/2023