CVE-2020-1773: 
Linux Debian vulnerability analysis and mitigation

CVE-2020-1773 (OSA-2020-10) is a session and password token leak vulnerability discovered in OTRS (Open-Source Ticket Request System). The vulnerability was disclosed on March 27, 2020, affecting ((OTRS)) Community Edition versions 5.0.41 and prior, 6.0.26 and prior, and OTRS 7.0.15 and prior versions (OTRS Advisory).

The vulnerability allows an attacker with the ability to generate session IDs or password reset tokens to predict other users' session IDs, password reset tokens, and automatically generated passwords. This can be achieved either by being able to authenticate or by exploiting OSA-2020-09. The vulnerability has been assigned a CVSS score of 7.3 (HIGH) with the vector CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N (OTRS Advisory).

The vulnerability could lead to unauthorized access to user accounts through the prediction of session IDs and password reset tokens. This could potentially allow attackers to impersonate other users and gain unauthorized access to sensitive information (SUSE Advisory).

The vulnerability was fixed in OTRS versions 7.0.16, 6.0.27, and 5.0.42. The fix includes patches available on GitHub for both OTRS Community Edition 6 and 5. For Debian 10 buster, the fix was implemented in version 6.0.16-2+deb10u1. Users are strongly recommended to upgrade to these patched versions (Debian Advisory).