Bug 563486 (CVE-2010-0438, OSA-2010-01)

Summary: CVE-2010-0438 OTRS: Multiple SQL injection flaws in OTRS-Core (OSA-2010-01)
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: dennis
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://otrs.org/advisory/OSA-2010-01-en/
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-01-29 17:53:38 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 635847    
Bug Blocks:    

Description Jan Lieskovsky 2010-02-10 11:54:15 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2010-0438 to
the following vulnerability:

Multiple SQL injection vulnerabilities in Kernel/System/Ticket.pm in
OTRS-Core in Open Ticket Request System (OTRS) 2.1.x before 2.1.9,
2.2.x before 2.2.9, 2.3.x before 2.3.5, and 2.4.x before 2.4.7 allow
remote authenticated users to execute arbitrary SQL commands via
unspecified vectors.

References:
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0438
  http://otrs.org/advisory/OSA-2010-01-en/
  http://otrs.org/releases/2.4.7/
  http://source.otrs.org/viewvc.cgi/otrs/Kernel/System/Ticket.pm?view=log
  http://www.otrs.org/news/2010/otrs_2-4-7/
  http://www.securityfocus.com/bid/38146
  http://www.osvdb.org/62181
  http://secunia.com/advisories/38507
Comment 1 Jan Lieskovsky 2010-02-10 11:55:37 UTC 
This issue affects the version of the otrs package, as shipped
within EPEL-5 project.

Please fix / rebase.
Comment 2 Vincent Danen 2014-01-29 17:53:38 UTC 
OTRS has been removed from EPEL5, so this flaw no longer affects anything currently shipped.