Vulnerability-Lookup

CNVD-2021-18383

Vulnerability from cnvd - Published: 2021-03-18

Title

OTRS AG OTRSCIsInCustomerFrontend权限许可和访问控制问题漏洞

Description

OTRS AG OTRSCIsInCustomerFrontend是美国OTRS公司的一个管理系统。提供了现代，灵活的票证和流程管理服务。 OTRS AG OTRSCIsInCustomerFrontend中存在权限许可和访问控制问题漏洞，该漏洞源于代理可在无权限的情况下查看和链接配置项。目前没有详细漏洞细节提供。

Severity

中

Patch Name

OTRS AG OTRSCIsInCustomerFrontend权限许可和访问控制问题漏洞的补丁

Patch Description

Formal description

厂商已提供漏洞修补方案，请关注厂商主页及时更新： https://otrs.com/release-notes/otrs-security-advisory-2021-04/

Reference

https://nvd.nist.gov/vuln/detail/CVE-2021-21436

Impacted products

Name
['OTRS AG OTRSCIsInCustomerFrontend 7.0.*', 'OTRS AG OTRSCIsInCustomerFrontend <=7.0.14']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2021-21436",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2021-21436"
    }
  },
  "description": "OTRS AG OTRSCIsInCustomerFrontend\u662f\u7f8e\u56fdOTRS\u516c\u53f8\u7684\u4e00\u4e2a\u7ba1\u7406\u7cfb\u7edf\u3002\u63d0\u4f9b\u4e86\u73b0\u4ee3\uff0c\u7075\u6d3b\u7684\u7968\u8bc1\u548c\u6d41\u7a0b\u7ba1\u7406\u670d\u52a1\u3002\n\nOTRS AG OTRSCIsInCustomerFrontend\u4e2d\u5b58\u5728\u6743\u9650\u8bb8\u53ef\u548c\u8bbf\u95ee\u63a7\u5236\u95ee\u9898\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u4ee3\u7406\u53ef\u5728\u65e0\u6743\u9650\u7684\u60c5\u51b5\u4e0b\u67e5\u770b\u548c\u94fe\u63a5\u914d\u7f6e\u9879\u3002\u76ee\u524d\u6ca1\u6709\u8be6\u7ec6\u6f0f\u6d1e\u7ec6\u8282\u63d0\u4f9b\u3002",
  "formalWay": "\u5382\u5546\u5df2\u63d0\u4f9b\u6f0f\u6d1e\u4fee\u8865\u65b9\u6848\uff0c\u8bf7\u5173\u6ce8\u5382\u5546\u4e3b\u9875\u53ca\u65f6\u66f4\u65b0\uff1a\r\nhttps://otrs.com/release-notes/otrs-security-advisory-2021-04/",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2021-18383",
  "openTime": "2021-03-18",
  "patchDescription": "OTRS AG OTRSCIsInCustomerFrontend\u662f\u7f8e\u56fdOTRS\u516c\u53f8\u7684\u4e00\u4e2a\u7ba1\u7406\u7cfb\u7edf\u3002\u63d0\u4f9b\u4e86\u73b0\u4ee3\uff0c\u7075\u6d3b\u7684\u7968\u8bc1\u548c\u6d41\u7a0b\u7ba1\u7406\u670d\u52a1\u3002\r\n\r\nOTRS AG OTRSCIsInCustomerFrontend\u4e2d\u5b58\u5728\u6743\u9650\u8bb8\u53ef\u548c\u8bbf\u95ee\u63a7\u5236\u95ee\u9898\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u4ee3\u7406\u53ef\u5728\u65e0\u6743\u9650\u7684\u60c5\u51b5\u4e0b\u67e5\u770b\u548c\u94fe\u63a5\u914d\u7f6e\u9879\u3002\u76ee\u524d\u6ca1\u6709\u8be6\u7ec6\u6f0f\u6d1e\u7ec6\u8282\u63d0\u4f9b\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "OTRS AG OTRSCIsInCustomerFrontend\u6743\u9650\u8bb8\u53ef\u548c\u8bbf\u95ee\u63a7\u5236\u95ee\u9898\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "OTRS AG OTRSCIsInCustomerFrontend 7.0.*",
      "OTRS AG OTRSCIsInCustomerFrontend \u003c=7.0.14"
    ]
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2021-21436",
  "serverity": "\u4e2d",
  "submitTime": "2021-02-23",
  "title": "OTRS AG OTRSCIsInCustomerFrontend\u6743\u9650\u8bb8\u53ef\u548c\u8bbf\u95ee\u63a7\u5236\u95ee\u9898\u6f0f\u6d1e"
}

CVE-2021-21436 (GCVE-0-2021-21436)

Vulnerability from cvelistv5 – Published: 2021-02-08 10:55 – Updated: 2024-09-17 04:00

Title

Agent is able to link customer's Config Items without permission

Summary

Agents are able to see and link Config Items without permissions, which are defined in General Catalog. This issue affects: OTRS AG OTRSCIsInCustomerFrontend 7.0.x version 7.0.14 and prior versions.

Severity

3.5 (Low)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N

CWE

CWE-264 - Permissions, Privileges, and Access Controls

Assigner

OTRS

References

1 reference

URL	Tags
https://otrs.com/release-notes/otrs-security-advi…	x_refsource_CONFIRM

Impacted products

1 product

Vendor	Product	Version
OTRS AG	OTRSCIsInCustomerFrontend	Affected: 7.0.x , ≤ 7.0.14 (custom)

Date Public

2021-02-08 00:00

Credits

Bernhard Lehr

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T18:16:22.405Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://otrs.com/release-notes/otrs-security-advisory-2021-04/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "OTRSCIsInCustomerFrontend",
          "vendor": "OTRS AG",
          "versions": [
            {
              "lessThanOrEqual": "7.0.14",
              "status": "affected",
              "version": "7.0.x",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Bernhard Lehr"
        }
      ],
      "datePublic": "2021-02-08T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "Agents are able to see and link Config Items without permissions, which are defined in General Catalog. This issue affects: OTRS AG OTRSCIsInCustomerFrontend 7.0.x version 7.0.14 and prior versions."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 3.5,
            "baseSeverity": "LOW",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-264",
              "description": "CWE-264 Permissions, Privileges, and Access Controls",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-02-08T10:55:20.000Z",
        "orgId": "2e1bf29f-dc29-4ed8-830c-7b9348b6f0e8",
        "shortName": "OTRS"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://otrs.com/release-notes/otrs-security-advisory-2021-04/"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "Update to OTRSCIsInCustomerFrontend 7.0.15."
        }
      ],
      "source": {
        "advisory": "OSA-2021-04",
        "defect": [
          "2020100842000501"
        ],
        "discovery": "USER"
      },
      "title": "Agent is able to link customer\u0027s Config Items without permission",
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@otrs.com",
          "DATE_PUBLIC": "2021-02-08T00:00:00.000Z",
          "ID": "CVE-2021-21436",
          "STATE": "PUBLIC",
          "TITLE": "Agent is able to link customer\u0027s Config Items without permission"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "OTRSCIsInCustomerFrontend",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c=",
                            "version_name": "7.0.x",
                            "version_value": "7.0.14"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "OTRS AG"
              }
            ]
          }
        },
        "credit": [
          {
            "lang": "eng",
            "value": "Bernhard Lehr"
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Agents are able to see and link Config Items without permissions, which are defined in General Catalog. This issue affects: OTRS AG OTRSCIsInCustomerFrontend 7.0.x version 7.0.14 and prior versions."
            }
          ]
        },
        "generator": {
          "engine": "Vulnogram 0.0.9"
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 3.5,
            "baseSeverity": "LOW",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-264 Permissions, Privileges, and Access Controls"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://otrs.com/release-notes/otrs-security-advisory-2021-04/",
              "refsource": "CONFIRM",
              "url": "https://otrs.com/release-notes/otrs-security-advisory-2021-04/"
            }
          ]
        },
        "solution": [
          {
            "lang": "en",
            "value": "Update to OTRSCIsInCustomerFrontend 7.0.15."
          }
        ],
        "source": {
          "advisory": "OSA-2021-04",
          "defect": [
            "2020100842000501"
          ],
          "discovery": "USER"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "2e1bf29f-dc29-4ed8-830c-7b9348b6f0e8",
    "assignerShortName": "OTRS",
    "cveId": "CVE-2021-21436",
    "datePublished": "2021-02-08T10:55:20.229Z",
    "dateReserved": "2020-12-29T00:00:00.000Z",
    "dateUpdated": "2024-09-17T04:00:11.454Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2021-18383

CVE-2021-21436 (GCVE-0-2021-21436)

Tags

Sightings

Nomenclature