CVE-2021-36097Incorrect Privilege Assignment in AG Otrs

CWE-266Incorrect Privilege AssignmentCWE-732Incorrect Permission Assignment3 documents3 sources
Severity
4.3MEDIUMNVD
CNA3.5
EPSS
0.1%
top 69.91%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Otrs AG OtrsOtrs
Timeline
PublishedOct 18
Latest updateMay 24

Description

Agents are able to lock the ticket without the "Owner" permission. Once the ticket is locked, it could be moved to the queue where the agent has "rw" permissions and gain a full control. This issue affects: OTRS AG OTRS 8.0.x version: 8.0.16 and prior versions.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages2 packages

NVDotrs/otrs8.0.08.0.16
CVEListV5otrs_ag/otrs8.0.x8.0.16

🔴Vulnerability Details

2
GHSA
GHSA-w4r5-v3hc-jqxx: Agents are able to lock the ticket without the "Owner" permission2022-05-24
CVEList
Agents are able to lock the ticket without the "Owner" permission2021-10-18
CVE-2021-36097 — Incorrect Privilege Assignment | cvebase