CVE-2024-23794

15.07.2024, 08:15

An incorrect privilege assignment vulnerability in the inline editing functionality of OTRS can lead to privilege escalation. This flaw allows an agent with read-only permissions to gain full access to a ticket. This issue arises in very rare instances when an admin has previously enabled the setting 'RequiredLock' of 'AgentFrontend::Ticket::InlineEditing::Property###Watch' in the system configuration.This issue affects OTRS:

  *  8.0.X
  *  2023.X
  *  from 2024.X through 2024.4.x

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	5.2 MEDIUM	NETWORK	LOW	HIGH	CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:L/A:N
OTRS	CNA	5.2 MEDIUM	NETWORK	LOW	HIGH	CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:L/A:N
CISA-ADP	ADP	---				---
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 23%

Vendor	Product	Version
otrs	otrs	8.0.0 ≤ 𝑥 < 2024.5.2

𝑥

= Vulnerable software versions

Ubuntu Releases

Ubuntu Product

Codename

znuny

noble	not-affected
jammy	dne
focal	dne

Common Weakness Enumeration

CWE-266 - Incorrect Privilege Assignment
A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.

References

https://otrs.com/release-notes/otrs-security-advisory-2024-06/