PT-2021-6460 · Otrs Ag+1 · Otrs+2

Published

2021-07-26

Updated

2024-08-06

CVE-2021-21443

CVSS v2.0

4.0

Medium

Vector

AV:N/AC:L/Au:S/C:P/I:N/A:N

Name of the Vulnerable Software and Affected Versions OTRS AG (OTRS) Community Edition versions 6.0.1 and later OTRS AG OTRS versions prior to 7.0.27

Description The issue is related to errors in permission handling in the OTRS ticket system, allowing an attacker to remotely access confidential data. Agents are able to list customer user emails without required permissions in the bulk action screen.

Recommendations For OTRS AG (OTRS) Community Edition versions 6.0.1 and later, update to a version that includes the necessary permission handling fixes. For OTRS AG OTRS versions prior to 7.0.27, update to version 7.0.27 or later to resolve the issue. As a temporary workaround, consider restricting access to the bulk action screen to minimize the risk of exploitation.

Fix

Information Disclosure

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-200CWE-275

Related Identifiers

ALT-PU-2021-2917

ALT-PU-2021-3039

ALT-PU-2021-3058

ALT-PU-2024-10583

BDU:2022-01681

CVE-2021-21443

DLA-3551-1

Affected Products

Alt Linux

Otrs

Otrs Community Edition

PT-2021-6460 · Otrs Ag+1 · Otrs+2

CVE-2021-21443

Weakness Enumeration

Related Identifiers

Affected Products

References · 13