Candidate: CVE-2017-16921
PublicDate: 2017-12-08 15:29:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16921
 https://www.otrs.com/security-advisory-2017-09-security-update-otrs-framework/
 https://bugs.otrs.org/show_bug.cgi?id=13357
Description:
 In OTRS 6.0.x up to and including 6.0.1, OTRS 5.0.x up to and including
 5.0.24, and OTRS 4.0.x up to and including 4.0.26, an attacker who is
 logged into OTRS as an agent can manipulate form parameters (related to
 PGP) and execute arbitrary shell commands with the permissions of the OTRS
 or web server user.
Ubuntu-Description:
Notes:
Bugs:
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=883774
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H [8.8 HIGH]


Patches_otrs2:
upstream_otrs2: released (6.0.2-1)
precise/esm_otrs2: DNE
trusty_otrs2: ignored (reached end-of-life)
trusty/esm_otrs2: DNE (trusty was needed)
xenial_otrs2: ignored (end of standard support, was needed)
zesty_otrs2: ignored (reached end-of-life)
artful_otrs2: ignored (reached end-of-life)
bionic_otrs2: not-affected (6.0.5-1)
cosmic_otrs2: not-affected (6.0.5-1)
disco_otrs2: not-affected (6.0.5-1)
eoan_otrs2: not-affected (6.0.5-1)
focal_otrs2: not-affected (6.0.5-1)
groovy_otrs2: not-affected (6.0.5-1)
hirsute_otrs2: not-affected (6.0.5-1)
impish_otrs2: not-affected (6.0.5-1)
jammy_otrs2: not-affected (6.0.5-1)
devel_otrs2: not-affected (6.0.5-1)