CVE-2022-4427 - OpenCVE

Improper Input Validation vulnerability in OTRS AG OTRS, OTRS AG ((OTRS)) Community Edition allows SQL Injection via TicketSearch Webservice This issue affects OTRS: from 7.0.1 before 7.0.40 Patch 1, from 8.0.1 before 8.0.28 Patch 1; ((OTRS)) Community Edition: from 6.0.1 through 6.0.34.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Otrs	Otrs

Configuration 1 [-]

OR	cpe:2.3:a:otrs:otrs:::::community:::*
	cpe:2.3:a:otrs:otrs::::::::
	cpe:2.3:a:otrs:otrs::::::::
	cpe:2.3:a:otrs:otrs:7.0.40:-::::::
	cpe:2.3:a:otrs:otrs:8.0.28:-::::::

No data.

References

Link	Providers
https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html
https://otrs.com/release-notes/otrs-security-advisory-2022-15/

History

No history.

MITRE

Status: PUBLISHED

Assigner: OTRS

Published: 2022-12-19T08:09:51.646Z

Updated: 2024-08-03T01:41:44.619Z

Reserved: 2022-12-12T16:11:40.741Z

Link: CVE-2022-4427

Vulnrichment

No data.

NVD

Status : Modified

Published: 2022-12-19T09:15:09.707

Modified: 2023-08-31T03:15:13.807

Link: CVE-2022-4427

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2022-4427", "assignerOrgId": "2e1bf29f-dc29-4ed8-830c-7b9348b6f0e8", "state": "PUBLISHED", "assignerShortName": "OTRS", "requesterUserId": "e1930910-48a6-4f4e-9306-261ea8c0e8b1", "dateReserved": "2022-12-12T16:11:40.741Z", "datePublished": "2022-12-19T08:09:51.646Z", "dateUpdated": "2024-08-03T01:41:44.619Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "affected", "modules": ["Generic Interface"], "product": "OTRS", "vendor": "OTRS AG", "versions": [{"lessThan": "7.0.40 Patch 1", "status": "affected", "version": "7.0.1", "versionType": "Patch 1 (2022-12-19)"}, {"lessThan": "8.0.28 Patch 1", "status": "affected", "version": "8.0.1", "versionType": "Patch 1 (2022-12-19)"}]}, {"defaultStatus": "affected", "modules": ["Generic Interface"], "product": "((OTRS)) Community Edition", "vendor": "OTRS AG", "versions": [{"lessThanOrEqual": "6.0.34", "status": "affected", "version": "6.0.1", "versionType": "All"}]}], "configurations": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "TicketSearch Webservice has to be configured<br>"}], "value": "TicketSearch Webservice has to be configured\n"}], "credits": [{"lang": "en", "type": "reporter", "user": "00000000-0000-4000-9000-000000000000", "value": "Special thanks to Tim P\u00fcttmanns for reporting these vulnerability."}], "datePublic": "2022-12-19T08:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Input Validation vulnerability in OTRS AG OTRS, OTRS AG ((OTRS)) Community Edition allows SQL Injection via TicketSearch Webservice<br><p>This issue affects OTRS: from 7.0.1 before 7.0.40 Patch 1, from 8.0.1 before 8.0.28 Patch 1; ((OTRS)) Community Edition: from 6.0.1 through 6.0.34.</p>"}], "value": "Improper Input Validation vulnerability in OTRS AG OTRS, OTRS AG ((OTRS)) Community Edition allows SQL Injection via TicketSearch Webservice\nThis issue affects OTRS: from 7.0.1 before 7.0.40 Patch 1, from 8.0.1 before 8.0.28 Patch 1; ((OTRS)) Community Edition: from 6.0.1 through 6.0.34.\n\n"}], "impacts": [{"capecId": "CAPEC-66", "descriptions": [{"lang": "en", "value": "CAPEC-66 SQL Injection"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "description": "CWE-20 Improper Input Validation", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "2e1bf29f-dc29-4ed8-830c-7b9348b6f0e8", "shortName": "OTRS", "dateUpdated": "2022-12-19T08:09:51.646Z"}, "references": [{"url": "https://otrs.com/release-notes/otrs-security-advisory-2022-15/"}, {"url": "https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Update to OTRS 7.0.40 Patch 1 or OTRS 8.0.28 Patch 1 released on 19th December 2022<br>"}], "value": "Update to OTRS 7.0.40 Patch 1 or OTRS 8.0.28 Patch 1 released on 19th December 2022\n"}], "source": {"advisory": "OSA-2022-15", "discovery": "EXTERNAL"}, "title": "SQL Injection via OTRS Search API", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T01:41:44.619Z"}, "title": "CVE Program Container", "references": [{"url": "https://otrs.com/release-notes/otrs-security-advisory-2022-15/", "tags": ["x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html", "tags": ["x_transferred"]}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:otrs:otrs:*:*:*:*:community:*:*:*", "matchCriteriaId": "F4C2FF02-9A6F-435D-A55A-D2F085BD1FB2", "versionEndIncluding": "6.0.34", "versionStartIncluding": "6.0.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:otrs:otrs:*:*:*:*:*:*:*:*", "matchCriteriaId": "FF2A3E3C-3DDF-4242-B173-1EDBFD99D7AC", "versionEndExcluding": "7.0.40", "versionStartIncluding": "7.0.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:otrs:otrs:*:*:*:*:*:*:*:*", "matchCriteriaId": "4430231E-14C4-4C7F-8CA7-F8E36B639ADB", "versionEndExcluding": "8.0.28", "versionStartIncluding": "8.0.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:otrs:otrs:7.0.40:-:*:*:*:*:*:*", "matchCriteriaId": "222528AA-E7BC-4FFC-A420-83798C8E9B7E", "vulnerable": true}, {"criteria": "cpe:2.3:a:otrs:otrs:8.0.28:-:*:*:*:*:*:*", "matchCriteriaId": "3169243C-9150-4E99-8E36-F6EB34D5EDE7", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Input Validation vulnerability in OTRS AG OTRS, OTRS AG ((OTRS)) Community Edition allows SQL Injection via TicketSearch Webservice\nThis issue affects OTRS: from 7.0.1 before 7.0.40 Patch 1, from 8.0.1 before 8.0.28 Patch 1; ((OTRS)) Community Edition: from 6.0.1 through 6.0.34.\n\n"}, {"lang": "es", "value": "Vulnerabilidad de validaci\u00f3n de entrada incorrecta en OTRS AG OTRS, OTRS AG ((OTRS)) Community Edition permite la inyecci\u00f3n de SQL a trav\u00e9s de TicketSearch Webservice. Este problema afecta a OTRS: desde 7.0.1 antes de 7.0.40 parche 1, desde 8.0.1 antes de 8.0.28 parche 1 ; ((OTRS)) Community Edition: desde 6.0.1 hasta 6.0.34.\n "}], "id": "CVE-2022-4427", "lastModified": "2023-08-31T03:15:13.807", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security@otrs.com", "type": "Secondary"}]}, "published": "2022-12-19T09:15:09.707", "references": [{"source": "security@otrs.com", "url": "https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html"}, {"source": "security@otrs.com", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://otrs.com/release-notes/otrs-security-advisory-2022-15/"}], "sourceIdentifier": "security@otrs.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-20"}], "source": "security@otrs.com", "type": "Secondary"}]}