Denial of service
Description
Improper Check for filenames with overly long extensions in PostMaster (sending in email) or uploading files (e.g. attaching files to mails) of ((OTRS)) Community Edition and OTRS allows an remote attacker to cause an endless loop. This issue affects: OTRS AG: ((OTRS)) Community Edition 5.0.x version 5.0.38 and prior versions; 6.0.x version 6.0.23 and prior versions. OTRS AG: OTRS 7.0.x version 7.0.12 and prior versions.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Improper filename extension length check in OTRS email sending/file upload causes infinite loop, affecting multiple versions.
Vulnerability
The OTRS Community Edition and OTRS application contains an improper check for filenames with overly long extensions in the PostMaster (sending email) and file upload functionality. This flaw leads to an endless loop when processing such filenames. Affected versions include OTRS Community Edition 5.0.x up to 5.0.38, 6.0.x up to 6.0.23, and OTRS 7.0.x up to 7.0.12 [1].
Exploitation
A remote attacker can exploit this vulnerability by sending an email or uploading a file with an overly long extension to the affected system. No authentication is required, as the system processes incoming emails or file uploads automatically. The attacker does not need any special privileges; the condition is triggered upon processing the crafted filename.
Impact
Successful exploitation results in an endless loop, causing a denial of service (DoS) condition. The system may become unresponsive or crash, disrupting availability. The attack does not lead to data theft or modification, but the availability of the OTRS instance is compromised.
Mitigation
The vendor has released security updates to address this issue. Users should upgrade to OTRS Community Edition 5.0.39 or later, 6.0.24 or later, or OTRS 7.0.13 or later. For systems running the end-of-life 6.x branch, upgrading to a supported version (e.g., OTRS 7.x) is recommended [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
8- OTRS AG/((OTRS)) Community Editiondescription
- Range: <=5.0.38 (5.0.x); <=6.0.23 (6.0.x)
- osv-coords5 versionspkg:rpm/opensuse/otrs&distro=openSUSE%20Leap%2015.1pkg:rpm/opensuse/otrs&distro=openSUSE%20Leap%2015.2pkg:rpm/suse/otrs&distro=SUSE%20Package%20Hub%2015pkg:rpm/suse/otrs&distro=SUSE%20Package%20Hub%2015%20SP1pkg:rpm/suse/otrs&distro=SUSE%20Package%20Hub%2015%20SP2
< 5.0.42-bp151.3.3.1+ 4 more
- (no CPE)range: < 5.0.42-bp151.3.3.1
- (no CPE)range: < 6.0.29-bp152.2.5.4
- (no CPE)range: < 5.0.42-bp151.3.3.1
- (no CPE)range: < 5.0.42-bp151.3.3.1
- (no CPE)range: < 6.0.29-bp152.2.5.4
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- lists.opensuse.org/opensuse-security-announce/2020-04/msg00038.htmlmitrevendor-advisory
- lists.opensuse.org/opensuse-security-announce/2020-09/msg00066.htmlmitrevendor-advisory
- lists.opensuse.org/opensuse-security-announce/2020-09/msg00077.htmlmitrevendor-advisory
- lists.debian.org/debian-lts-announce/2023/08/msg00040.htmlmitremailing-list
- community.otrs.com/security-advisory-2019-15-security-update-for-otrs-framework/mitre
News mentions
0No linked articles in our index yet.