CVE-2024-23791 - OpenCVE

Insertion of debug information into log file during building the elastic search index allows reading of sensitive information from articles.This issue affects OTRS: from 7.0.X through 7.0.48, from 8.0.X through 8.0.37, from 2023.X through 2023.1.1.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Otrs	Otrs

Configuration 1 [-]

OR	cpe:2.3:a:otrs:otrs::::::::
	cpe:2.3:a:otrs:otrs::::::::

No data.

References

Link	Providers
https://otrs.com/release-notes/otrs-security-advisory-2024-02/

History

No history.

MITRE

Status: PUBLISHED

Assigner: OTRS

Published: 2024-01-29T09:21:00.278Z

Updated: 2024-08-01T23:13:07.364Z

Reserved: 2024-01-22T10:32:00.704Z

Link: CVE-2024-23791

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2024-01-29T10:15:08.483

Modified: 2024-02-02T02:07:28.850

Link: CVE-2024-23791

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-23791", "assignerOrgId": "2e1bf29f-dc29-4ed8-830c-7b9348b6f0e8", "state": "PUBLISHED", "assignerShortName": "OTRS", "dateReserved": "2024-01-22T10:32:00.704Z", "datePublished": "2024-01-29T09:21:00.278Z", "dateUpdated": "2024-08-01T23:13:07.364Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unknown", "modules": ["Log Backend"], "product": "OTRS", "vendor": "OTRS AG", "versions": [{"lessThanOrEqual": "7.0.48", "status": "affected", "version": "7.0.x", "versionType": "Patch"}, {"lessThanOrEqual": "8.0.37", "status": "affected", "version": "8.0.x", "versionType": "Patch"}, {"lessThanOrEqual": "2023.1.1", "status": "affected", "version": "2023.x", "versionType": "Patch"}]}], "datePublic": "2024-01-29T08:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Insertion of debug information into log file during building the elastic search index allows reading of sensitive information from articles.<p>This issue affects OTRS: from 7.0.X through 7.0.48, from 8.0.X through 8.0.37, from 2023.X through 2023.1.1.</p>"}], "value": "Insertion of debug information into log file during building the elastic search index allows reading of sensitive information from articles.This issue affects OTRS: from 7.0.X through 7.0.48, from 8.0.X through 8.0.37, from 2023.X through 2023.1.1.\n\n"}], "impacts": [{"capecId": "CAPEC-545", "descriptions": [{"lang": "en", "value": "CAPEC-545 Pull Data from System Resources"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-532", "description": "CWE-532 Insertion of Sensitive Information into Log File", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "2e1bf29f-dc29-4ed8-830c-7b9348b6f0e8", "shortName": "OTRS", "dateUpdated": "2024-01-29T09:21:00.278Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://otrs.com/release-notes/otrs-security-advisory-2024-02/"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<div>Update to OTRS Patch 2024.1.1</div><div>Update to OTRS 7.0.49 (Long Term Support Users)</div><br>"}], "value": "Update to OTRS Patch 2024.1.1\n\nUpdate to OTRS 7.0.49 (Long Term Support Users)\n\n"}], "source": {"advisory": "OSA-2024-02", "defect": ["Issue#1224", "Ticket#2021091742001128"], "discovery": "USER"}, "title": "Unnecessary data is written to log if issues during indexing occurs", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T23:13:07.364Z"}, "title": "CVE Program Container", "references": [{"tags": ["vendor-advisory", "x_transferred"], "url": "https://otrs.com/release-notes/otrs-security-advisory-2024-02/"}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:otrs:otrs:*:*:*:*:*:*:*:*", "matchCriteriaId": "4E47E75A-C9A9-40EE-A5DE-B4CDD98E7B7F", "versionEndExcluding": "7.0.49", "versionStartIncluding": "7.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:otrs:otrs:*:*:*:*:*:*:*:*", "matchCriteriaId": "3B9B2075-4C3E-48C9-96DA-655E4F29325A", "versionEndExcluding": "2024.1.1", "versionStartIncluding": "8.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Insertion of debug information into log file during building the elastic search index allows reading of sensitive information from articles.This issue affects OTRS: from 7.0.X through 7.0.48, from 8.0.X through 8.0.37, from 2023.X through 2023.1.1.\n\n"}, {"lang": "es", "value": "La inserci\u00f3n de informaci\u00f3n de depuraci\u00f3n en el archivo de registro durante la creaci\u00f3n del \u00edndice de b\u00fasqueda el\u00e1stico permite leer informaci\u00f3n confidencial de los art\u00edculos. Este problema afecta a OTRS: de 7.0.X a 7.0.48, de 8.0.X a 8.0.37, de 2023.X a 2023.1 .1."}], "id": "CVE-2024-23791", "lastModified": "2024-02-02T02:07:28.850", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 3.6, "source": "security@otrs.com", "type": "Secondary"}]}, "published": "2024-01-29T10:15:08.483", "references": [{"source": "security@otrs.com", "tags": ["Vendor Advisory"], "url": "https://otrs.com/release-notes/otrs-security-advisory-2024-02/"}], "sourceIdentifier": "security@otrs.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-532"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-532"}], "source": "security@otrs.com", "type": "Secondary"}]}