CVE-2017-16854

Current Description

In Open Ticket Request System (OTRS) through 3.3.20, 4 through 4.0.26, 5 through 5.0.24, and 6 through 6.0.1, an attacker who is logged in as a customer can use the ticket search form to disclose internal article information of their customer tickets.

Basic Data

PublishedDecember 08, 2017
Last ModifiedApril 29, 2019
Assignercve@mitre.org
Data TypeCVE
Data FormatMITRE
Data Version4.0
Problem TypeCWE-200
CVE Data Version4.0

Base Metric V2

CVSS 2 - Version2.0
CVSS 2 - Vector StringAV:N/AC:L/Au:S/C:P/I:N/A:N
CVSS 2 - Access VectorNETWORK
CVSS 2 - Access ComplexityLOW
CVSS 2 - AuthenticationSINGLE
CVSS 2 - Confidentiality ImpactPARTIAL
CVSS 2 - Availability ImpactNONE
CVSS 2 - Base Score4.0
SeverityMEDIUM
Exploitability Score8.0
Impact Score2.9
Obtain All Privilegefalse
Obtain User Privilegefalse
Obtain Other Privilegefalse

Base Metric V3

CVSS 3 - Version3.0
CVSS 3 - Vector StringCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CVSS 3 - Attack VectorNETWORK
CVSS 3 - Attack ComplexityLOW
CVSS 3 - Privileges RequiredLOW
CVSS 3 - User InteractionNONE
CVSS 3 - ScopeUNCHANGED
CVSS 3 - Confidentiality ImpactHIGH
CVSS 3 - Integrity ImpactNONE
CVSS 3 - Availability ImpactNONE
CVSS 3 - Base Score6.5
CVSS 3 - Base SeverityMEDIUM
Exploitability Score2.8
Base SeverityMEDIUM

Configurations

  • OR - Configuration 1
    Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
    2.3ApplicationOtrsOtrs********3.3.03.3.20
    2.3ApplicationOtrsOtrs********4.0.264.0.0
    2.3ApplicationOtrsOtrs********5.0.05.0.24
    2.3ApplicationOtrsOtrs********6.0.06.0.1
  • OR - Configuration 2
    Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
    2.3OSDebianDebian Linux7.0*******
    2.3OSDebianDebian Linux8.0*******
    2.3OSDebianDebian Linux9.0*******

Vulnerable Software List

VendorProductVersions
Debian Debian Linux 7.0, 8.0, 9.0
Otrs Otrs *

References

NameSourceURLTags
[debian-lts-announce] 20171219 [SECURITY] [DLA 1212-1] otrs2 security updatehttps://lists.debian.org/debian-lts-announce/2017/12/msg00015.htmlMLISTMailing List Third Party Advisory
DSA-4066https://www.debian.org/security/2017/dsa-4066DEBIANThird Party Advisory
https://www.otrs.com/security-advisory-2017-08-security-update-otrs-framework/https://www.otrs.com/security-advisory-2017-08-security-update-otrs-framework/CONFIRMBroken Link