CVE-2008-7278 — Improper Input Validation in Otrs

CWE-20 — Improper Input Validation5 documents5 sources

Severity

5.0MEDIUMNVD

EPSS

0.3%

top 45.75%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Debian Otrs2 Otrs

Timeline

PublishedMar 18

Latest updateMay 17

Description

The S/MIME feature in Open Ticket Request System (OTRS) before 2.2.5, and 2.3.x before 2.3.0-beta1, does not properly configure the RANDFILE environment variable for OpenSSL, which might make it easier for remote attackers to decrypt e-mail messages that had lower than intended entropy available for cryptographic operations, related to inability to write to the seeding file.

CVSS vector

AV:N/AC:L/C:P/I:N/A:NExploitability: 10.0 | Impact: 2.9

Affected Packages2 packages

▶debiandebian/otrs2< otrs2 2.3.2-1 (bullseye)

▶NVDotrs/otrs2.2.4+40

Patches

Patch: bugs.otrs.org ↗Patch: bugs.otrs.org ↗Patch: bugs.otrs.org ↗

🔴Vulnerability Details

GHSA

GHSA-rgfv-29jm-8wcc: The S/MIME feature in Open Ticket Request System (OTRS) before 2↗2022-05-17

▶

OSV

CVE-2008-7278: The S/MIME feature in Open Ticket Request System (OTRS) before 2↗2011-03-18

▶

📋Vendor Advisories

Debian

CVE-2008-7278: otrs2 - The S/MIME feature in Open Ticket Request System (OTRS) before 2.2.5, and 2.3.x ...↗2008

▶

💬Community

Bugzilla

CVE-2010-0438 CVE-2010-2080 CVE-2010-3476 CVE-2011-0456 otrs: multiple vulnerabilities [fedora-epel5]↗2010-09-20

▶