ITSM Configuration Management Package Security Fix Released
Continuing our efforts to ensure the security of ((OTRS)) Community Edition, we have just released a new security fix for one of the popular ITSM packages.
Having just published a fixed version of the FAQ package, the next item on our list was the ITSMConfigurationManagement package, which was the subject of another recent security advisory issued by OTRS AG: OSA-2021-07.
Again, the information provided in the advisory wasn't too specific:
Agents are able to see linked Config Items without permissions, which are defined in General Catalog.
The analysis of the package's source code that we performed revealed that it is possible for an agent to craft a request for a specific version of the config item that they should not be allowed to access, but the system will return the data.
We have implemented a solution and released a new version of the package. It is available for download as an OPM file in the Downloads section.