{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2019-18179", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2024-08-05T01:47:13.546Z", "dateReserved": "2019-10-17T00:00:00", "datePublished": "2020-01-06T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2023-08-31T02:07:01.437912"}, "descriptions": [{"lang": "en", "value": "An issue was discovered in Open Ticket Request System (OTRS) 7.0.x through 7.0.12, and Community Edition 5.0.x through 5.0.38 and 6.0.x through 6.0.23. An attacker who is logged into OTRS as an agent is able to list tickets assigned to other agents, even tickets in a queue where the attacker doesn't have permissions."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://community.otrs.com/security-advisory-2019-14-security-update-for-otrs-framework/"}, {"name": "[debian-lts-announce] 20200101 [SECURITY] [DLA 2053-1] otrs2 security update", "tags": ["mailing-list"], "url": "https://lists.debian.org/debian-lts-announce/2020/01/msg00000.html"}, {"name": "openSUSE-SU-2020:0551", "tags": ["vendor-advisory"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00038.html"}, {"name": "openSUSE-SU-2020:1475", "tags": ["vendor-advisory"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00066.html"}, {"name": "openSUSE-SU-2020:1509", "tags": ["vendor-advisory"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00077.html"}, {"name": "[debian-lts-announce] 20230831 [SECURITY] [DLA 3551-1] otrs2 security update", "tags": ["mailing-list"], "url": "https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html"}], "metrics": [{"cvssV3_0": {"version": "3.0", "vectorString": "CVSS:3.0/AC:L/AV:N/A:N/C:L/I:N/PR:L/S:U/UI:R", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseScore": 3.5, "baseSeverity": "LOW"}}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T01:47:13.546Z"}, "title": "CVE Program Container", "references": [{"url": "https://community.otrs.com/security-advisory-2019-14-security-update-for-otrs-framework/", "tags": ["x_transferred"]}, {"name": "[debian-lts-announce] 20200101 [SECURITY] [DLA 2053-1] otrs2 security update", "tags": ["mailing-list", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2020/01/msg00000.html"}, {"name": "openSUSE-SU-2020:0551", "tags": ["vendor-advisory", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00038.html"}, {"name": "openSUSE-SU-2020:1475", "tags": ["vendor-advisory", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00066.html"}, {"name": "openSUSE-SU-2020:1509", "tags": ["vendor-advisory", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00077.html"}, {"name": "[debian-lts-announce] 20230831 [SECURITY] [DLA 3551-1] otrs2 security update", "tags": ["mailing-list", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html"}]}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:otrs:otrs:*:*:*:*:community:*:*:*", "matchCriteriaId": "5549FE6A-859B-4021-A39E-4F633D8AD77B", "versionEndIncluding": "5.0.38", "versionStartIncluding": "5.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:otrs:otrs:*:*:*:*:community:*:*:*", "matchCriteriaId": "BDA63ED7-EE6D-47D1-8FED-28F5402CF290", "versionEndIncluding": "6.0.23", "versionStartIncluding": "6.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:otrs:otrs:*:*:*:*:*:*:*:*", "matchCriteriaId": "29A9CACF-A2E1-43A1-97E1-19EA515D22AC", "versionEndIncluding": "7.0.12", "versionStartIncluding": "7.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:opensuse:backports_sle:15.0:-:*:*:*:*:*:*", "matchCriteriaId": "D83DA865-E4A6-4FBF-AA1B-A969EBA6B2AD", "vulnerable": true}, {"criteria": "cpe:2.3:a:opensuse:backports_sle:15.0:sp1:*:*:*:*:*:*", "matchCriteriaId": "40513095-7E6E-46B3-B604-C926F1BA3568", "vulnerable": true}, {"criteria": "cpe:2.3:a:opensuse:backports_sle:15.0:sp2:*:*:*:*:*:*", "matchCriteriaId": "67E82302-4B77-44F3-97B1-24C18AC4A35D", "vulnerable": true}, {"criteria": "cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*", "matchCriteriaId": "B620311B-34A3-48A6-82DF-6F078D7A4493", "vulnerable": true}, {"criteria": "cpe:2.3:o:opensuse:leap:15.2:*:*:*:*:*:*:*", "matchCriteriaId": "B009C22E-30A4-4288-BCF6-C3E81DEAF45A", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An issue was discovered in Open Ticket Request System (OTRS) 7.0.x through 7.0.12, and Community Edition 5.0.x through 5.0.38 and 6.0.x through 6.0.23. An attacker who is logged into OTRS as an agent is able to list tickets assigned to other agents, even tickets in a queue where the attacker doesn't have permissions."}, {"lang": "es", "value": "Se descubri\u00f3 un problema en Open Ticket Request System (OTRS) versiones 7.0.x hasta la versi\u00f3n 7.0.12, y Community Edition versiones 5.0.x hasta 5.0.38 y 6.0.x hasta 6.0.23. Un atacante que ha iniciado sesi\u00f3n en OTRS como un agente es capaz de enumerar los tickets asignados a otros agentes, inclusive los tickets en una cola donde el atacante no tiene permisos."}], "id": "CVE-2019-18179", "lastModified": "2023-08-31T03:15:09.517", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.5, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 2.1, "impactScore": 1.4, "source": "cve@mitre.org", "type": "Secondary"}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-01-06T20:15:12.243", "references": [{"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00038.html"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00066.html"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00077.html"}, {"source": "cve@mitre.org", "tags": ["Patch", "Vendor Advisory"], "url": "https://community.otrs.com/security-advisory-2019-14-security-update-for-otrs-framework/"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2020/01/msg00000.html"}, {"source": "cve@mitre.org", "url": "https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}