#VU37774 OS Command Injection in OTRS and Debian Linux - CVE-2017-16921
Published: December 8, 2017 / Updated: June 17, 2021
Vulnerability identifier: #VU37774
Vulnerability risk: High
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber
CVE-ID: CVE-2017-16921
CWE-ID: CWE-78
Exploitation vector: Remote access
Exploit availability:
Public exploit is available
Vulnerable software:
OTRS
Debian Linux
OTRS
Debian Linux
Software vendor:
otrs.org
Debian
otrs.org
Debian
Description
The vulnerability allows a remote authenticated user to execute arbitrary code.
In OTRS 6.0.x up to and including 6.0.1, OTRS 5.0.x up to and including 5.0.24, and OTRS 4.0.x up to and including 4.0.26, an attacker who is logged into OTRS as an agent can manipulate form parameters (related to PGP) and execute arbitrary shell commands with the permissions of the OTRS or web server user.
Remediation
Install update from vendor's website.