Attacker Value
Very High
CVE-2017-16921
CVE-2017-16921
(Last updated October 05, 2023) ▾
MITRE ATT&CK
Log in to add MITRE ATT&CK tag
Add MITRE ATT&CK tactics and techniques that apply to this CVE.
Initial Access
Techniques
Validation
Description
In OTRS 6.0.x up to and including 6.0.1, OTRS 5.0.x up to and including 5.0.24, and OTRS 4.0.x up to and including 4.0.26, an attacker who is logged into OTRS as an agent can manipulate form parameters (related to PGP) and execute arbitrary shell commands with the permissions of the OTRS or web server user.
Add Assessment
1
Technical Analysis
Patch : update to OTRS 6.0.2 to fix this specific issue but updating to 6.0.32 is recommended.
CVSS V3 Severity and Metrics
Data provided by the National Vulnerability Database (NVD)
Base Score:
8.8 High
Impact Score:
5.9
Exploitability Score:
2.8
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
Low
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High
General Information
Vendors
- debian,
- otrs
Products
- debian linux 7.0,
- debian linux 8.0,
- debian linux 9.0,
- otrs 4.0.1,
- otrs 4.0.10,
- otrs 4.0.11,
- otrs 4.0.12,
- otrs 4.0.13,
- otrs 4.0.14,
- otrs 4.0.15,
- otrs 4.0.16,
- otrs 4.0.17,
- otrs 4.0.18,
- otrs 4.0.19,
- otrs 4.0.2,
- otrs 4.0.20,
- otrs 4.0.21,
- otrs 4.0.22,
- otrs 4.0.23,
- otrs 4.0.24,
- otrs 4.0.25,
- otrs 4.0.26,
- otrs 4.0.3,
- otrs 4.0.4,
- otrs 4.0.5,
- otrs 4.0.6,
- otrs 4.0.7,
- otrs 4.0.8,
- otrs 4.0.9,
- otrs 5.0.0,
- otrs 5.0.1,
- otrs 5.0.10,
- otrs 5.0.11,
- otrs 5.0.12,
- otrs 5.0.13,
- otrs 5.0.14,
- otrs 5.0.15,
- otrs 5.0.16,
- otrs 5.0.17,
- otrs 5.0.18,
- otrs 5.0.19,
- otrs 5.0.2,
- otrs 5.0.20,
- otrs 5.0.21,
- otrs 5.0.22,
- otrs 5.0.23,
- otrs 5.0.24,
- otrs 5.0.3,
- otrs 5.0.4,
- otrs 5.0.5,
- otrs 5.0.6,
- otrs 5.0.7,
- otrs 5.0.8,
- otrs 5.0.9,
- otrs 6.0.0,
- otrs 6.0.1
References
Advisory
