OS Command Injection in OTRS and Debian Linux - CVE-2017-16921
Published: December 8, 2017 / Updated: June 17, 2021
Vulnerability identifier: #VU37774
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber
CVE-ID: CVE-2017-16921
CWE-ID: CWE-78
Exploitation vector: Remote access
Exploit availability:
Public exploit is available
Vendor: otrs.org
Debian
Debian
Affected software:
OTRS
Debian Linux
OTRS
Debian Linux
Detailed vulnerability description
The vulnerability allows a remote authenticated user to execute arbitrary code.
In OTRS 6.0.x up to and including 6.0.1, OTRS 5.0.x up to and including 5.0.24, and OTRS 4.0.x up to and including 4.0.26, an attacker who is logged into OTRS as an agent can manipulate form parameters (related to PGP) and execute arbitrary shell commands with the permissions of the OTRS or web server user.
How to mitigate CVE-2017-16921
Install update from vendor's website.