OTRS and OTRS Community Edition Sensitive Information Disclosure Vulnerability

A vulnerability exists in OTRS versions 7.0.X, 8.0.X, 2023.X, 2024.X, and in OTRS Community Edition 6.0.x. This issue arises from certain errors in upstream libraries that inadvertently introduce sensitive information, such as SMTP passwords, into the OTRS log files and in emails sent to the system administrator. Products based on OTRS Community Edition are also likely affected.

Impact

This vulnerability allows sensitive information, including SMTP passwords, to be exposed in cleartext, potentially leading to unauthorized access or actions via the SMTP protocol.

Remediation

Users can update to OTRS version 2025.1.x. Note that there will be no patches for OTRS 7. For OTRS Community Edition, version 6.0.34 is the last release before the vulnerability was introduced. As a workaround, consider using a local Mail Transfer Agent (MTA) for sending emails instead of the SMTP configuration within OTRS.