CVE-2024-43444

EUVD-2024-40281

26.08.2024, 09:15

Passwords of agents and customers are displayed in plain text in the OTRS admin log module if certain configurations regarding the authentication sources match and debugging for the authentication backend has been enabled.

This issue affects: 

  *  OTRS from 7.0.X through 7.0.50
  *  OTRS 8.0.X
  *  OTRS 2023.X
  *  OTRS from 2024.X through 2024.5.X
  *  ((OTRS)) Community Edition: 6.0.x

Products based on the ((OTRS)) Community Edition also very likely to be affected

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	8.2 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
OTRS	CNA	8.2 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: 41%

Ubuntu Releases

Ubuntu Product

Codename

znuny

focal	dne
jammy	dne
noble	needs-triage
oracular	ignored
plucky	needs-triage
questing	needs-triage

Common Weakness Enumeration

CWE-532 - Insertion of Sensitive Information into Log File
Information written to log files can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information.

References

https://otrs.com/release-notes/otrs-security-advisory-2024-12/