CVE-2021-21437 - Vulnerability Details - OpenCVE

Description

Agents are able to see linked Config Items without permissions, which are defined in General Catalog. This issue affects: OTRSCIsInCustomerFrontend 7.0.15 and prior versions, ITSMConfigurationManagement 7.0.24 and prior versions

Published: 2021-03-22

Score: 3.5 Low

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

No analysis available yet.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

OTRS AG

OTRSCIsInCustomerFrontend

affected

Version	Status	Constraints
`7.0.x`	affected	≤ 7.0.15

OTRS AG

ITSMConfigurationManagement

affected

Version	Status	Constraints
`7.0.x`	affected	≤ 7.0.24

Configuration 1 [-]

OR	cpe:2.3:a:otrs:itsmconfigurationmanagement::::::::
	cpe:2.3:a:otrs:otrscisincustomerfrontend::::::::

No data.

No data available yet.

Remediation

Vendor Solution

Update to ITSMConfigurationManagement 7.0.25 and OTRSCIsInCustomerFrontend 7.0.16.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2021-8711	Agents are able to see linked Config Items without permissions, which are defined in General Catalog. This issue affects: OTRSCIsInCustomerFrontend 7.0.15 and prior versions, ITSMConfigurationManagement 7.0.24 and prior versions

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.00112.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://otrs.com/release-notes/otrs-security-advisory-2021-07/

History

No history.

Subscriptions

Otrs Itsmconfigurationmanagement Otrscisincustomerfrontend

MITRE

Status: PUBLISHED

Assigner: OTRS

Published: 2021-03-22T08:50:17.071Z

Updated: 2024-09-16T20:53:12.704Z

Reserved: 2020-12-29T00:00:00.000Z

Link: CVE-2021-21437

Vulnrichment

No data.

NVD

Status : Modified

Published: 2021-03-22T09:15:12.953

Modified: 2024-11-21T05:48:21.620

Link: CVE-2021-21437

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

{"containers": {"cna": {"affected": [{"product": "OTRSCIsInCustomerFrontend", "vendor": "OTRS AG", "versions": [{"lessThanOrEqual": "7.0.15", "status": "affected", "version": "7.0.x", "versionType": "custom"}]}, {"product": "ITSMConfigurationManagement", "vendor": "OTRS AG", "versions": [{"lessThanOrEqual": "7.0.24", "status": "affected", "version": "7.0.x", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Jaroslav Balaz"}], "datePublic": "2021-03-22T00:00:00.000Z", "descriptions": [{"lang": "en", "value": "Agents are able to see linked Config Items without permissions, which are defined in General Catalog. This issue affects: OTRSCIsInCustomerFrontend 7.0.15 and prior versions, ITSMConfigurationManagement 7.0.24 and prior versions"}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.5, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-264", "description": "CWE-264 Permissions, Privileges, and Access Controls", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-03-22T08:50:16.000Z", "orgId": "2e1bf29f-dc29-4ed8-830c-7b9348b6f0e8", "shortName": "OTRS"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://otrs.com/release-notes/otrs-security-advisory-2021-07/"}], "solutions": [{"lang": "en", "value": "Update to ITSMConfigurationManagement 7.0.25 and OTRSCIsInCustomerFrontend 7.0.16."}], "source": {"advisory": "OSA-2021-07", "defect": ["2021012842001309"], "discovery": "INTERNAL"}, "title": "Config Items are shown to users without permission", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@otrs.com", "DATE_PUBLIC": "2021-03-22T00:00:00.000Z", "ID": "CVE-2021-21437", "STATE": "PUBLIC", "TITLE": "Config Items are shown to users without permission"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "OTRSCIsInCustomerFrontend", "version": {"version_data": [{"version_affected": "<=", "version_name": "7.0.x", "version_value": "7.0.15"}]}}, {"product_name": "ITSMConfigurationManagement", "version": {"version_data": [{"version_affected": "<=", "version_name": "7.0.x", "version_value": "7.0.24"}]}}]}, "vendor_name": "OTRS AG"}]}}, "credit": [{"lang": "eng", "value": "Jaroslav Balaz"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Agents are able to see linked Config Items without permissions, which are defined in General Catalog. This issue affects: OTRSCIsInCustomerFrontend 7.0.15 and prior versions, ITSMConfigurationManagement 7.0.24 and prior versions"}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.5, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-264 Permissions, Privileges, and Access Controls"}]}]}, "references": {"reference_data": [{"name": "https://otrs.com/release-notes/otrs-security-advisory-2021-07/", "refsource": "MISC", "url": "https://otrs.com/release-notes/otrs-security-advisory-2021-07/"}]}, "solution": [{"lang": "en", "value": "Update to ITSMConfigurationManagement 7.0.25 and OTRSCIsInCustomerFrontend 7.0.16."}], "source": {"advisory": "OSA-2021-07", "defect": ["2021012842001309"], "discovery": "INTERNAL"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T18:16:22.378Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://otrs.com/release-notes/otrs-security-advisory-2021-07/"}]}]}, "cveMetadata": {"assignerOrgId": "2e1bf29f-dc29-4ed8-830c-7b9348b6f0e8", "assignerShortName": "OTRS", "cveId": "CVE-2021-21437", "datePublished": "2021-03-22T08:50:17.071Z", "dateReserved": "2020-12-29T00:00:00.000Z", "dateUpdated": "2024-09-16T20:53:12.704Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:otrs:itsmconfigurationmanagement:*:*:*:*:*:*:*:*", "matchCriteriaId": "22785061-8457-4745-8DA4-698A59CE6139", "versionEndIncluding": "7.0.24", "versionStartIncluding": "7.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:otrs:otrscisincustomerfrontend:*:*:*:*:*:*:*:*", "matchCriteriaId": "CEE941D9-D14E-4B97-BC43-843F1116C8F2", "versionEndIncluding": "7.0.15", "versionStartIncluding": "7.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Agents are able to see linked Config Items without permissions, which are defined in General Catalog. This issue affects: OTRSCIsInCustomerFrontend 7.0.15 and prior versions, ITSMConfigurationManagement 7.0.24 and prior versions"}, {"lang": "es", "value": "Los agentes pueden ser capaces de visualizar Elementos de Configuraci\u00f3n vinculados sin permisos, que son definidos en el Cat\u00e1logo General. Este problema afecta a: OTRSCIsInCustomerFrontend versiones 7.0.15 y anteriores, ITSMConfigurationManagement versiones 7.0.24 y anteriores"}], "id": "CVE-2021-21437", "lastModified": "2024-11-21T05:48:21.620", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.5, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 1.4, "source": "security@otrs.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-03-22T09:15:12.953", "references": [{"source": "security@otrs.com", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://otrs.com/release-notes/otrs-security-advisory-2021-07/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://otrs.com/release-notes/otrs-security-advisory-2021-07/"}], "sourceIdentifier": "security@otrs.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-264"}], "source": "security@otrs.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-862"}], "source": "nvd@nist.gov", "type": "Primary"}]}