SB2019061714 - Information disclosure in Debian Linux

Description

This security bulletin contains information about 1 vulnerability.

1) Information disclosure (CVE-ID: CVE-2019-12497)

CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

An issue was discovered in Open Ticket Request System (OTRS) 7.0.x through 7.0.8, Community Edition 6.0.x through 6.0.19, and Community Edition 5.0.x through 5.0.36. In the customer or external frontend, personal information of agents (e.g., Name and mail address) can be disclosed in external notes.

Remediation

Install update from vendor's website.

References

• http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00038.html
• https://community.otrs.com/category/security-advisories-en/
• https://lists.debian.org/debian-lts-announce/2019/06/msg00004.html