CVE-2020-1773 — Insufficient Entropy in Otrs

CWE-331 — Insufficient Entropy5 documents5 sources

Severity

8.1HIGHNVD

CNA7.3

EPSS

0.5%

top 35.64%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Otrs Otrs AG Community Edition Otrs AG Otrs

Timeline

PublishedMar 27

Latest updateMay 24

Description

An attacker with the ability to generate session IDs or password reset tokens, either by being able to authenticate or by exploiting OSA-2020-09, may be able to predict other users session IDs, password reset tokens and automatically generated passwords. This issue affects ((OTRS)) Community Edition: 5.0.41 and prior versions, 6.0.26 and prior versions. OTRS; 7.0.15 and prior versions.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:NExploitability: 2.8 | Impact: 5.2

Affected Packages3 packages

▶CVEListV5otrs_ag/community_edition5.0.41 and prior, 6.0.26 and prior+1

▶NVDotrs/otrs5.0.0 — 5.0.41+2

▶CVEListV5otrs_ag/otrs7.0.15 and prior

🔴Vulnerability Details

GHSA

GHSA-63m6-fqgg-rv45: It's possible that an authenticated user guess other session IDs based on its own↗2022-05-24

▶

OSV

CVE-2020-1773: An attacker with the ability to generate session IDs or password reset tokens, either by being able to authenticate or by exploiting OSA-2020-09, may↗2020-03-27

▶

CVEList

Session / Password / Password token leak↗2020-03-27

▶

📋Vendor Advisories

Debian

CVE-2020-1773: otrs2 - An attacker with the ability to generate session IDs or password reset tokens, e...↗2020

▶