CVE-2021-21443 — Sensitive Information Exposure in AG Community Edition

CWE-200 — Sensitive Information Exposure5 documents5 sources

Severity

4.3MEDIUMNVD

CNA3.5

EPSS

0.2%

top 55.33%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Otrs AG Community Edition Otrs AG Otrs Otrs

Timeline

PublishedJul 26

Latest updateMay 24

Description

Agents are able to list customer user emails without required permissions in the bulk action screen. This issue affects: OTRS AG ((OTRS)) Community Edition: 6.0.x version 6.0.1 and later versions. OTRS AG OTRS: 7.0.x versions prior to 7.0.27.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages3 packages

▶CVEListV5otrs_ag/community_edition6.0.1 — 6.0.x*

▶CVEListV5otrs_ag/otrs7.0.x — 7.0.27

▶NVDotrs/otrs6.0.0 — 6.0.32+1

🔴Vulnerability Details

GHSA

GHSA-8cr8-7h2h-c8f7: Agents are able to list customer user emails without required permissions in the bulk action screen↗2022-05-24

▶

CVEList

Unautorized listing of the customer user emails↗2021-07-26

▶

OSV

CVE-2021-21443: Agents are able to list customer user emails without required permissions in the bulk action screen↗2021-07-26

▶

📋Vendor Advisories

Debian

CVE-2021-21443: otrs2 - Agents are able to list customer user emails without required permissions in the...↗2021

▶