Release Note
OTRS Security Advisory 2024-06
Please read carefully and check if the version of your OTRS system is affected by this vulnerability.
Please send information regarding vulnerabilities in OTRS to: security@otrs.org
PGP Key
- pub 2048R/9C227C6B 2011-03-21
- uid OTRS Security Team <security@otrs.org>
- GPG Fingerprint E330 4608 DA6E 34B7 1551 C244 7F9E 44E9 9C22 7C6B
Security Advisory Details
- ID: OSA-2024-06
- Date: 2024-07-15
- Title: Agents are able to lock the ticket without the “Owner” permission
- Severity CVSS v3.1: 5.2 MEDIUM
- Severity CVSS v4.0: 5.6 MEDIUM
- Urgency: Reduced
- Product: OTRS
- Fixed in: OTRS 2024.5.2
- CVSS VECTOR: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:L/A:N * CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/AU:N/R:U/U:Green
- References: CVE-2024-23794
Agents are able to lock the ticket without the “Owner” permission
An incorrect privilege assignment vulnerability in the inline editing functionality of OTRS can lead to privilege escalation. This flaw allows an agent with read-only permissions to gain full access to a ticket. This issue arises in very rare instances when an admin has previously enabled the setting ‘RequiredLock’ of ‘AgentFrontend::Ticket::InlineEditing::Property###Watch’ in the system configuration.
PRODUCT AFFECTED:
This issue affects
OTRS:
- 8.0.X
- 2023.X
- from 2024.X through 2024.4.x
Required Configuration for Exposure:
The sub setting RequiredLock of AgentFrontend::Ticket::InlineEditing::Property###Watch has to be activated by an administrator first and Ticket::Permission###1-OwnerCheck is enabled (default).
Problem:
CWE-266 Incorrect Privilege Assignment CWE-266
Impact:
CAPEC-233 Privilege Escalation CAPEC-233
Product Status
| Product | Affected |
| OTRS AG OTRS » inline editing
Default status is affected |
8.0.x
2023.x from 2024.x through 2024.4.x |
SOLUTION:
Update to OTRS 2024.5.2
WORKAROUND:
deactivate RequiredLock of AgentFrontend::Ticket::InlineEditing::Property###Watch or disable Ticket::Permission###1-OwnerCheck