cbcvebase.
CVE-2021-36100
published 2022-03-21

CVE-2021-36100: Specially crafted string in OTRS system configuration can allow the execution of any system command.

PriorityP354high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
1.30%
66.9th percentile
Specially crafted string in OTRS system configuration can allow the execution of any system command.

Affected

17 ranges
VendorProductVersion rangeFixed in
debianotrs2
debianznuny
otrsotrs< 7.0.287.0.28
otrsotrs>= 7.0.30 < 7.0.337.0.33
otrsotrs>= 8.0.0 < 8.0.218.0.21
otrsotrs_itsm< 7.0.197.0.19
otrsotrs_itsm>= 8.0.0 < 8.0.288.0.28
otrsotrs_storm< 8.0.128.0.12
otrs_agcommunity_edition>= 6.0.1 < 6.0.x*6.0.x*
otrs_agotrs7.0.x – 7.0.32
otrs_agotrs8.0.x – 8.0.19
otrs_agotrsstorm>= 6.0.1 < 6.0.x*6.0.x*
otrs_agotrsstorm7.0.x – 7.0.27
otrs_agotrsstorm8.0.x – 8.0.11
otrs_agsystemmonitoring>= 6.0.1 < 6.0.x*6.0.x*
otrs_agsystemmonitoring7.0.x – 7.0.18
otrs_agsystemmonitoring8.0.x – 8.0.8

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
osv8.8HIGH
vendor_debian6.4MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.