Page MenuHomePhabricator

Znuny/OTRS security issues (CVE-2021-36092, CVE-2021-36091, CVE-2021-21443, CVE-2021-21440)
Closed, ResolvedPublicSecurity

Description

There are new OTRS security issues, they most probably affect Znuny as well, but need to be confirmed with them:

OSA-2021-15 XSS attack using special link in email (CVE-2021-36092)
https://otrs.com/release-notes/otrs-security-advisory-2021-15/
(This might be https://www.znuny.org/en/advisories/zsa-2021-06, not 100% sure with the details available)

OSA-2021-14 Unautorized access to the calendar appointments (CVE-2021-36091)
https://otrs.com/release-notes/otrs-security-advisory-2021-14/

OSA-2021-13 Unautorized listing of the customer user emails (CVE-2021-21443)
https://otrs.com/release-notes/otrs-security-advisory-2021-13/

OSA-2021-10 Support Bundle includes S/Mime and PGP keys (CVE-2021-21440)
https://otrs.com/release-notes/otrs-security-advisory-2021-10/

Event Timeline

Znuny 6.0.36 fixes the following issues: (https://www.znuny.org/en/releases/znuny-6-0-36)

ZSA-2021-10 Unauthorized access to list appointments CVE-2021-36091
ZSA-2021-09 Unauthorized listing of the customer user emails CVE-2021-21443
ZSA-2021-08 Support bundle includes SMIME / PGP Keys CVE-2021-21440
ZSA-2021-07 XSS vulnerability in Time Accounting add-on CVE-2021-21442

For the other ones OTRS AG didn't disclose enough information to assess whether Znuny is affected (although it's very likely given they recently forked:
https://github.com/znuny/Znuny/issues/105#issuecomment-894013730

There's nothing much we can do here I think, and we can simply close the task on Znuny 6.0.36 is deployed.

akosiaris claimed this task.

Thanks @MoritzMuehlenhoff. I 've upgraded already to 6.0.37.

akosiaris changed the visibility from "Custom Policy" to "Public (No Login Required)".Oct 6 2021, 8:21 AM

Switching to be visible to anyone, we 've patched, so the issues are mitigated/resolved, we can let the community find this information more easily now.