Information disclosure in support bundle files
Description
Support bundle generated files could contain sensitive information that might be unwanted to be disclosed. This issue affects: ((OTRS)) Community Edition: 5.0.41 and prior versions, 6.0.26 and prior versions. OTRS: 7.0.15 and prior versions.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Support bundle generation in OTRS versions prior to fixed releases may include sensitive information, leading to potential information disclosure.
Vulnerability
The vulnerability exists in the support bundle generation functionality of OTRS. Support bundles are ZIP archives containing logs and configuration files used for troubleshooting. The bug allows such bundles to inadvertently include sensitive information that was not intended to be disclosed. This affects ((OTRS)) Community Edition 5.0.41 and prior, 6.0.26 and prior, and OTRS 7.0.15 and prior [1].
Exploitation
An attacker must have high privileges (e.g., agent role with access to generate support bundles) and rely on user interaction (e.g., an administrator generating and sharing the bundle). The attacker does not need to be on the network; the attack vector is network-based. The specific steps involve generating a support bundle that includes the sensitive data and then accessing that bundle [1].
Impact
Successful exploitation leads to limited information disclosure (low confidentiality impact). The attacker gains access to sensitive data contained within the support bundle file. There is no impact on integrity or availability [1].
Mitigation
The issue is fixed in OTRS 7.0.16, ((OTRS)) Community Edition 6.0.27, and ((OTRS)) Community Edition 5.0.42. Patches are available via the GitHub commits referenced in the advisory. Organizations running affected versions should upgrade immediately. No workaround is documented [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
9- Range: <=5.0.41, <=6.0.26
- osv-coords5 versionspkg:rpm/opensuse/otrs&distro=openSUSE%20Leap%2015.1pkg:rpm/opensuse/otrs&distro=openSUSE%20Leap%2015.2pkg:rpm/suse/otrs&distro=SUSE%20Package%20Hub%2015pkg:rpm/suse/otrs&distro=SUSE%20Package%20Hub%2015%20SP1pkg:rpm/suse/otrs&distro=SUSE%20Package%20Hub%2015%20SP2
< 5.0.42-bp151.3.3.1+ 4 more
- (no CPE)range: < 5.0.42-bp151.3.3.1
- (no CPE)range: < 6.0.29-bp152.2.5.4
- (no CPE)range: < 5.0.42-bp151.3.3.1
- (no CPE)range: < 5.0.42-bp151.3.3.1
- (no CPE)range: < 6.0.29-bp152.2.5.4
- OTRS AG/((OTRS)) Community Editionv5Range: 5.0.x
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- lists.opensuse.org/opensuse-security-announce/2020-04/msg00038.htmlmitrevendor-advisory
- lists.opensuse.org/opensuse-security-announce/2020-09/msg00066.htmlmitrevendor-advisory
- lists.opensuse.org/opensuse-security-announce/2020-09/msg00077.htmlmitrevendor-advisory
- lists.debian.org/debian-lts-announce/2020/05/msg00000.htmlmitremailing-list
- lists.debian.org/debian-lts-announce/2023/08/msg00040.htmlmitremailing-list
- otrs.com/release-notes/otrs-security-advisory-2020-07/mitre
News mentions
0No linked articles in our index yet.