CVE-2017-17476
Published: 20 December 2017
Open Ticket Request System (OTRS) 4.0.x before 4.0.28, 5.0.x before 5.0.26, and 6.0.x before 6.0.3, when cookie support is disabled, might allow remote attackers to hijack web sessions and consequently gain privileges via a crafted email.
Priority
Status
| Package | Release | Status |
|---|---|---|
|
otrs2 Launchpad, Ubuntu, Debian |
artful |
Ignored
(end of life)
|
| bionic |
Not vulnerable
(6.0.3-1)
|
|
| cosmic |
Not vulnerable
(6.0.3-1)
|
|
| disco |
Not vulnerable
(6.0.3-1)
|
|
| eoan |
Not vulnerable
(6.0.3-1)
|
|
| focal |
Not vulnerable
(6.0.3-1)
|
|
| groovy |
Not vulnerable
(6.0.3-1)
|
|
| hirsute |
Not vulnerable
(6.0.3-1)
|
|
| impish |
Not vulnerable
(6.0.3-1)
|
|
| jammy |
Not vulnerable
(6.0.3-1)
|
|
| mantic |
Does not exist
|
|
| noble |
Does not exist
|
|
| trusty |
Does not exist
(trusty was needed)
|
|
| upstream |
Released
(6.0.3-1)
|
|
| xenial |
Needed
|
|
| zesty |
Ignored
(end of life)
|
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 8.8 |
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | Required |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | High |
| Availability impact | High |
| Vector | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
References
- https://www.otrs.com/security-advisory-2017-10-security-update-otrs-framework/
- https://github.com/OTRS/otrs/commit/26707eaaa791648e6c7ad6aeaa27efd70e7c66eb
- https://github.com/OTRS/otrs/commit/36e3be99cfe8a9e09afa1b75fdc39f3e28f561fc
- https://github.com/OTRS/otrs/commit/720c73fbf53e476ca7dfdf2ae1d4d3d2aad2b953
- https://www.cve.org/CVERecord?id=CVE-2017-17476
- NVD
- Launchpad
- Debian