CVE-2009-5055 — Otrs vulnerability

CWE-2645 documents5 sources

Severity

3.5LOWNVD

EPSS

0.1%

top 71.53%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Debian Otrs2 Otrs

Timeline

PublishedMar 18

Latest updateMay 2

Description

Open Ticket Request System (OTRS) before 2.4.4 grants ticket access on the basis of single-digit substrings of the CustomerID value, which allows remote authenticated users to bypass intended access restrictions in opportunistic circumstances by visiting a ticket, as demonstrated by leveraging the CustomerID 12 account to read tickets that should be available only to CustomerID 1 or CustomerID 2.

CVSS vector

AV:N/AC:M/C:P/I:N/A:NExploitability: 6.8 | Impact: 2.9

Affected Packages2 packages

▶debiandebian/otrs2< otrs2 2.4.5-1 (bullseye)

▶NVDotrs/otrs2.4.3+56

Patches

Patch: source.otrs.org ↗Patch: source.otrs.org ↗

🔴Vulnerability Details

GHSA

GHSA-mc47-5crj-3q7q: Open Ticket Request System (OTRS) before 2↗2022-05-02

▶

OSV

CVE-2009-5055: Open Ticket Request System (OTRS) before 2↗2011-03-18

▶

📋Vendor Advisories

Debian

CVE-2009-5055: otrs2 - Open Ticket Request System (OTRS) before 2.4.4 grants ticket access on the basis...↗2009

▶

💬Community

Bugzilla

CVE-2010-0438 CVE-2010-2080 CVE-2010-3476 CVE-2011-0456 otrs: multiple vulnerabilities [fedora-epel5]↗2010-09-20

▶