Lucene search

OTRSCVELIST:CVE-2024-23791

HistoryJan 29, 2024 - 9:21 a.m.

CVE-2024-23791 Unnecessary data is written to log if issues during indexing occurs

2024-01-2909:21:00

CWE-532

OTRS

www.cve.org

elasticsearch

log file

sensitive information

otrs

data exposure

cve-2024-23791

indexing issues

4.9 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

0.001 Low

EPSS

Percentile

37.1%

JSON

Insertion of debug information into log file during building the elastic search index allows reading of sensitive information from articles.This issue affects OTRS: from 7.0.X through 7.0.48, from 8.0.X through 8.0.37, from 2023.X through 2023.1.1.

CNA Affected

[
  {
    "defaultStatus": "unknown",
    "modules": [
      "Log Backend"
    ],
    "product": "OTRS",
    "vendor": "OTRS AG",
    "versions": [
      {
        "lessThanOrEqual": "7.0.48",
        "status": "affected",
        "version": "7.0.x",
        "versionType": "Patch"
      },
      {
        "lessThanOrEqual": "8.0.37",
        "status": "affected",
        "version": "8.0.x",
        "versionType": "Patch"
      },
      {
        "lessThanOrEqual": "2023.1.1",
        "status": "affected",
        "version": "2023.x",
        "versionType": "Patch"
      }
    ]
  }
]

References

otrs.com/release-notes/otrs-security-advisory-2024-02/

4.9 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

0.001 Low

EPSS

Percentile

37.1%

JSON

Related for CVELIST:CVE-2024-23791