cvelistv5 - cve-2020-1774

CVE-2020-1774 (GCVE-0-2020-1774)

Vulnerability from cvelistv5 – Published: 2020-04-28 13:54 – Updated: 2024-09-16 18:13

Title

Information disclosure

Summary

When user downloads PGP or S/MIME keys/certificates, exported file has same name for private and public keys. Therefore it's possible to mix them and to send private key to the third-party instead of public key. This issue affects ((OTRS)) Community Edition: 5.0.42 and prior versions, 6.0.27 and prior versions. OTRS: 7.0.16 and prior versions.

Severity ?

4.5 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N

CWE

CWE-201 - Information Exposure Through Sent Data

Assigner

OTRS

References

URL

Tags

	https://otrs.com/release-notes/otrs-security-advi…
	https://lists.debian.org/debian-lts-announce/2020…	mailing-list
	https://lists.debian.org/debian-lts-announce/2023…	mailing-list

Impacted products

Vendor

Product

Version

OTRS AG

((OTRS)) Community Edition

Affected: 6.0.x <= 6.0.27
Affected: 5.0.x <= 5.0.42

OTRS AG

OTRS

Affected: 7.0.x <= 7.0.16

Credits

Matthias Terlinde

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T06:46:30.951Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://otrs.com/release-notes/otrs-security-advisory-2020-11/"
          },
          {
            "name": "[debian-lts-announce] 20200501 [SECURITY] [DLA 2198-1] otrs2 security update",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2020/05/msg00000.html"
          },
          {
            "name": "[debian-lts-announce] 20230831 [SECURITY] [DLA 3551-1] otrs2 security update",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "((OTRS)) Community Edition",
          "vendor": "OTRS AG",
          "versions": [
            {
              "status": "affected",
              "version": "6.0.x \u003c= 6.0.27"
            },
            {
              "status": "affected",
              "version": "5.0.x \u003c= 5.0.42"
            }
          ]
        },
        {
          "product": "OTRS",
          "vendor": "OTRS AG",
          "versions": [
            {
              "status": "affected",
              "version": "7.0.x \u003c= 7.0.16"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Matthias Terlinde"
        }
      ],
      "datePublic": "2020-04-27T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "When user downloads PGP or S/MIME keys/certificates, exported file has same name for private and public keys. Therefore it\u0027s possible to mix them and to send private key to the third-party instead of public key. This issue affects ((OTRS)) Community Edition: 5.0.42 and prior versions, 6.0.27 and prior versions. OTRS: 7.0.16 and prior versions."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-201",
              "description": "CWE-201 Information Exposure Through Sent Data",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-08-31T02:07:06.193689",
        "orgId": "2e1bf29f-dc29-4ed8-830c-7b9348b6f0e8",
        "shortName": "OTRS"
      },
      "references": [
        {
          "url": "https://otrs.com/release-notes/otrs-security-advisory-2020-11/"
        },
        {
          "name": "[debian-lts-announce] 20200501 [SECURITY] [DLA 2198-1] otrs2 security update",
          "tags": [
            "mailing-list"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2020/05/msg00000.html"
        },
        {
          "name": "[debian-lts-announce] 20230831 [SECURITY] [DLA 3551-1] otrs2 security update",
          "tags": [
            "mailing-list"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "Upgrade to OTRS 7.0.17, ((OTRS)) Community Edition 6.0.28\nPatch for ((OTRS)) Community Edition 6: https://github.com/OTRS/otrs/commit/ff725cbea77f03fa296bb13f93f5b07086920342\nPatch for ((OTRS)) Community Edition 5: https://github.com/OTRS/otrs/commit/fb0e6131e79aa2ba9c7acbd16f4ee4e73289f64b"
        }
      ],
      "source": {
        "advisory": "OSA-2020-11",
        "defect": [
          "2020021442001602"
        ],
        "discovery": "USER"
      },
      "title": "Information disclosure",
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "2e1bf29f-dc29-4ed8-830c-7b9348b6f0e8",
    "assignerShortName": "OTRS",
    "cveId": "CVE-2020-1774",
    "datePublished": "2020-04-28T13:54:26.180850Z",
    "dateReserved": "2019-11-29T00:00:00",
    "dateUpdated": "2024-09-16T18:13:37.691Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:otrs:otrs:*:*:*:*:community:*:*:*\", \"versionStartIncluding\": \"5.0.0\", \"versionEndIncluding\": \"5.0.42\", \"matchCriteriaId\": \"06492F1B-5810-429D-BB78-8706F9E74AEE\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:otrs:otrs:*:*:*:*:community:*:*:*\", \"versionStartIncluding\": \"6.0.0\", \"versionEndIncluding\": \"6.0.27\", \"matchCriteriaId\": \"03EA383C-3BB5-46CF-AEBE-C2B3B92446A6\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:otrs:otrs:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"7.0.0\", \"versionEndIncluding\": \"7.0.16\", \"matchCriteriaId\": \"59B100A3-DB5D-466B-BFA3-094EB95A0E4E\"}]}]}, {\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"When user downloads PGP or S/MIME keys/certificates, exported file has same name for private and public keys. Therefore it\u0027s possible to mix them and to send private key to the third-party instead of public key. This issue affects ((OTRS)) Community Edition: 5.0.42 and prior versions, 6.0.27 and prior versions. OTRS: 7.0.16 and prior versions.\"}, {\"lang\": \"es\", \"value\": \"Cuando el usuario descarga claves y certificados de PGP o S/MIME, el archivo exportado presenta el mismo nombre para las claves privadas y p\\u00fablicas. Por lo tanto, es posible mezclarlos y enviar la clave privada a un tercero en lugar de la clave p\\u00fablica. Este problema afecta a ((OTRS)) Community Edition: versiones 5.0.42 y anteriores, versiones 6.0.27 y anteriores. OTRS: versiones 7.0.16 y anteriores.\"}]",
      "id": "CVE-2020-1774",
      "lastModified": "2024-11-21T05:11:21.797",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"security@otrs.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N\", \"baseScore\": 4.5, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"HIGH\", \"userInteraction\": \"REQUIRED\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 0.9, \"impactScore\": 3.6}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N\", \"baseScore\": 4.9, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"HIGH\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 1.2, \"impactScore\": 3.6}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:L/Au:S/C:P/I:N/A:N\", \"baseScore\": 4.0, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"LOW\", \"authentication\": \"SINGLE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 8.0, \"impactScore\": 2.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
      "published": "2020-04-28T14:15:14.283",
      "references": "[{\"url\": \"https://lists.debian.org/debian-lts-announce/2020/05/msg00000.html\", \"source\": \"security@otrs.com\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html\", \"source\": \"security@otrs.com\"}, {\"url\": \"https://otrs.com/release-notes/otrs-security-advisory-2020-11/\", \"source\": \"security@otrs.com\", \"tags\": [\"Release Notes\", \"Vendor Advisory\"]}, {\"url\": \"https://lists.debian.org/debian-lts-announce/2020/05/msg00000.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://otrs.com/release-notes/otrs-security-advisory-2020-11/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Release Notes\", \"Vendor Advisory\"]}]",
      "sourceIdentifier": "security@otrs.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"security@otrs.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-201\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"NVD-CWE-Other\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2020-1774\",\"sourceIdentifier\":\"security@otrs.com\",\"published\":\"2020-04-28T14:15:14.283\",\"lastModified\":\"2024-11-21T05:11:21.797\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"When user downloads PGP or S/MIME keys/certificates, exported file has same name for private and public keys. Therefore it\u0027s possible to mix them and to send private key to the third-party instead of public key. This issue affects ((OTRS)) Community Edition: 5.0.42 and prior versions, 6.0.27 and prior versions. OTRS: 7.0.16 and prior versions.\"},{\"lang\":\"es\",\"value\":\"Cuando el usuario descarga claves y certificados de PGP o S/MIME, el archivo exportado presenta el mismo nombre para las claves privadas y p\u00fablicas. Por lo tanto, es posible mezclarlos y enviar la clave privada a un tercero en lugar de la clave p\u00fablica. Este problema afecta a ((OTRS)) Community Edition: versiones 5.0.42 y anteriores, versiones 6.0.27 y anteriores. OTRS: versiones 7.0.16 y anteriores.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security@otrs.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N\",\"baseScore\":4.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":0.9,\"impactScore\":3.6},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":4.9,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.2,\"impactScore\":3.6}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:S/C:P/I:N/A:N\",\"baseScore\":4.0,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"SINGLE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.0,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"security@otrs.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-201\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-Other\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:otrs:otrs:*:*:*:*:community:*:*:*\",\"versionStartIncluding\":\"5.0.0\",\"versionEndIncluding\":\"5.0.42\",\"matchCriteriaId\":\"06492F1B-5810-429D-BB78-8706F9E74AEE\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:otrs:otrs:*:*:*:*:community:*:*:*\",\"versionStartIncluding\":\"6.0.0\",\"versionEndIncluding\":\"6.0.27\",\"matchCriteriaId\":\"03EA383C-3BB5-46CF-AEBE-C2B3B92446A6\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:otrs:otrs:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"7.0.0\",\"versionEndIncluding\":\"7.0.16\",\"matchCriteriaId\":\"59B100A3-DB5D-466B-BFA3-094EB95A0E4E\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43\"}]}]}],\"references\":[{\"url\":\"https://lists.debian.org/debian-lts-announce/2020/05/msg00000.html\",\"source\":\"security@otrs.com\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html\",\"source\":\"security@otrs.com\"},{\"url\":\"https://otrs.com/release-notes/otrs-security-advisory-2020-11/\",\"source\":\"security@otrs.com\",\"tags\":[\"Release Notes\",\"Vendor Advisory\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2020/05/msg00000.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://otrs.com/release-notes/otrs-security-advisory-2020-11/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Release Notes\",\"Vendor Advisory\"]}]}}"
  }
}

CNVD-2020-32426

Vulnerability from cnvd - Published: 2020-06-11

Title

Open Ticket Request System信息泄露漏洞（CNVD-2020-32426）

Description

Open Ticket Request System（OTRS）是德国OTRS集团的一套开源缺陷跟踪管理系统软件。该软件将电话，邮件等各种渠道提交进来的服务请求归类为不同的队列、服务级别，服务人员通过OTRS系统来跟踪和回复客户。 OTRS中存在安全漏洞，该漏洞源于在下载PGP或S/MIME密钥/证书时，导出的公钥和私钥文件名称相同，用户可能会将其混淆，将私钥发送给第三方。攻击者可利用该漏洞获取信息。

Severity

中

Patch Name

Open Ticket Request System信息泄露漏洞（CNVD-2020-32426）的补丁

Patch Description

Formal description

目前厂商已发布升级补丁以修复漏洞，补丁获取链接： https://community.otrs.com/de/security-advisory-2020-11/

Reference

https://vigilance.fr/vulnerability/OTRS-Help-Desk-private-key-disclosure-32107

Impacted products

Name
['Open Ticket Request System Open Ticket Request System <=7.0.16', 'Open Ticket Request System Open Ticket Request System <=5.0.42', 'Open Ticket Request System Open Ticket Request System <=6.0.27']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2020-1774"
    }
  },
  "description": "Open Ticket Request System\uff08OTRS\uff09\u662f\u5fb7\u56fdOTRS\u96c6\u56e2\u7684\u4e00\u5957\u5f00\u6e90\u7f3a\u9677\u8ddf\u8e2a\u7ba1\u7406\u7cfb\u7edf\u8f6f\u4ef6\u3002\u8be5\u8f6f\u4ef6\u5c06\u7535\u8bdd\uff0c\u90ae\u4ef6\u7b49\u5404\u79cd\u6e20\u9053\u63d0\u4ea4\u8fdb\u6765\u7684\u670d\u52a1\u8bf7\u6c42\u5f52\u7c7b\u4e3a\u4e0d\u540c\u7684\u961f\u5217\u3001\u670d\u52a1\u7ea7\u522b\uff0c\u670d\u52a1\u4eba\u5458\u901a\u8fc7OTRS\u7cfb\u7edf\u6765\u8ddf\u8e2a\u548c\u56de\u590d\u5ba2\u6237\u3002\n\nOTRS\u4e2d\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u5728\u4e0b\u8f7dPGP\u6216S/MIME\u5bc6\u94a5/\u8bc1\u4e66\u65f6\uff0c\u5bfc\u51fa\u7684\u516c\u94a5\u548c\u79c1\u94a5\u6587\u4ef6\u540d\u79f0\u76f8\u540c\uff0c\u7528\u6237\u53ef\u80fd\u4f1a\u5c06\u5176\u6df7\u6dc6\uff0c\u5c06\u79c1\u94a5\u53d1\u9001\u7ed9\u7b2c\u4e09\u65b9\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u83b7\u53d6\u4fe1\u606f\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttps://community.otrs.com/de/security-advisory-2020-11/",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2020-32426",
  "openTime": "2020-06-11",
  "patchDescription": "Open Ticket Request System\uff08OTRS\uff09\u662f\u5fb7\u56fdOTRS\u96c6\u56e2\u7684\u4e00\u5957\u5f00\u6e90\u7f3a\u9677\u8ddf\u8e2a\u7ba1\u7406\u7cfb\u7edf\u8f6f\u4ef6\u3002\u8be5\u8f6f\u4ef6\u5c06\u7535\u8bdd\uff0c\u90ae\u4ef6\u7b49\u5404\u79cd\u6e20\u9053\u63d0\u4ea4\u8fdb\u6765\u7684\u670d\u52a1\u8bf7\u6c42\u5f52\u7c7b\u4e3a\u4e0d\u540c\u7684\u961f\u5217\u3001\u670d\u52a1\u7ea7\u522b\uff0c\u670d\u52a1\u4eba\u5458\u901a\u8fc7OTRS\u7cfb\u7edf\u6765\u8ddf\u8e2a\u548c\u56de\u590d\u5ba2\u6237\u3002\r\n\r\nOTRS\u4e2d\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u5728\u4e0b\u8f7dPGP\u6216S/MIME\u5bc6\u94a5/\u8bc1\u4e66\u65f6\uff0c\u5bfc\u51fa\u7684\u516c\u94a5\u548c\u79c1\u94a5\u6587\u4ef6\u540d\u79f0\u76f8\u540c\uff0c\u7528\u6237\u53ef\u80fd\u4f1a\u5c06\u5176\u6df7\u6dc6\uff0c\u5c06\u79c1\u94a5\u53d1\u9001\u7ed9\u7b2c\u4e09\u65b9\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u83b7\u53d6\u4fe1\u606f\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Open Ticket Request System\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\uff08CNVD-2020-32426\uff09\u7684\u8865\u4e01",
  "products": {
    "product": [
      "Open Ticket Request System Open Ticket Request System \u003c=7.0.16",
      "Open Ticket Request System Open Ticket Request System \u003c=5.0.42",
      "Open Ticket Request System Open Ticket Request System \u003c=6.0.27"
    ]
  },
  "referenceLink": "https://vigilance.fr/vulnerability/OTRS-Help-Desk-private-key-disclosure-32107",
  "serverity": "\u4e2d",
  "submitTime": "2020-04-29",
  "title": "Open Ticket Request System\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\uff08CNVD-2020-32426\uff09"
}

GSD-2020-1774

Vulnerability from gsd - Updated: 2023-12-13 01:21

Details

Aliases

CVE-2020-1774

Aliases

CVE-2020-1774

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2020-1774",
    "description": "When user downloads PGP or S/MIME keys/certificates, exported file has same name for private and public keys. Therefore it\u0027s possible to mix them and to send private key to the third-party instead of public key. This issue affects ((OTRS)) Community Edition: 5.0.42 and prior versions, 6.0.27 and prior versions. OTRS: 7.0.16 and prior versions.",
    "id": "GSD-2020-1774",
    "references": [
      "https://www.suse.com/security/cve/CVE-2020-1774.html"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2020-1774"
      ],
      "details": "When user downloads PGP or S/MIME keys/certificates, exported file has same name for private and public keys. Therefore it\u0027s possible to mix them and to send private key to the third-party instead of public key. This issue affects ((OTRS)) Community Edition: 5.0.42 and prior versions, 6.0.27 and prior versions. OTRS: 7.0.16 and prior versions.",
      "id": "GSD-2020-1774",
      "modified": "2023-12-13T01:21:59.013376Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security@otrs.com",
        "DATE_PUBLIC": "2020-04-27T00:00:00.000Z",
        "ID": "CVE-2020-1774",
        "STATE": "PUBLIC",
        "TITLE": "Information disclosure "
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "((OTRS)) Community Edition",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "6.0.x \u003c= 6.0.27"
                        },
                        {
                          "version_value": "5.0.x \u003c= 5.0.42"
                        }
                      ]
                    }
                  },
                  {
                    "product_name": "OTRS",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "7.0.x \u003c= 7.0.16"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "OTRS AG"
            }
          ]
        }
      },
      "credit": [
        {
          "lang": "eng",
          "value": "Matthias Terlinde"
        }
      ],
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "When user downloads PGP or S/MIME keys/certificates, exported file has same name for private and public keys. Therefore it\u0027s possible to mix them and to send private key to the third-party instead of public key. This issue affects ((OTRS)) Community Edition: 5.0.42 and prior versions, 6.0.27 and prior versions. OTRS: 7.0.16 and prior versions."
          }
        ]
      },
      "generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "impact": {
        "cvss": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 4.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "HIGH",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N",
          "version": "3.1"
        }
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "CWE-201 Information Exposure Through Sent Data"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://otrs.com/release-notes/otrs-security-advisory-2020-11/",
            "refsource": "CONFIRM",
            "url": "https://otrs.com/release-notes/otrs-security-advisory-2020-11/"
          },
          {
            "name": "[debian-lts-announce] 20200501 [SECURITY] [DLA 2198-1] otrs2 security update",
            "refsource": "MLIST",
            "url": "https://lists.debian.org/debian-lts-announce/2020/05/msg00000.html"
          },
          {
            "name": "[debian-lts-announce] 20230831 [SECURITY] [DLA 3551-1] otrs2 security update",
            "refsource": "MLIST",
            "url": "https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html"
          }
        ]
      },
      "solution": [
        {
          "lang": "eng",
          "value": "Upgrade to OTRS 7.0.17, ((OTRS)) Community Edition 6.0.28\nPatch for ((OTRS)) Community Edition 6: https://github.com/OTRS/otrs/commit/ff725cbea77f03fa296bb13f93f5b07086920342\nPatch for ((OTRS)) Community Edition 5: https://github.com/OTRS/otrs/commit/fb0e6131e79aa2ba9c7acbd16f4ee4e73289f64b"
        }
      ],
      "source": {
        "advisory": "OSA-2020-11",
        "defect": [
          "2020021442001602"
        ],
        "discovery": "USER"
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:otrs:otrs:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndIncluding": "7.0.16",
                "versionStartIncluding": "7.0.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:otrs:otrs:*:*:*:*:community:*:*:*",
                "cpe_name": [],
                "versionEndIncluding": "6.0.27",
                "versionStartIncluding": "6.0.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:otrs:otrs:*:*:*:*:community:*:*:*",
                "cpe_name": [],
                "versionEndIncluding": "5.0.42",
                "versionStartIncluding": "5.0.0",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          },
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security@otrs.com",
          "ID": "CVE-2020-1774"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "When user downloads PGP or S/MIME keys/certificates, exported file has same name for private and public keys. Therefore it\u0027s possible to mix them and to send private key to the third-party instead of public key. This issue affects ((OTRS)) Community Edition: 5.0.42 and prior versions, 6.0.27 and prior versions. OTRS: 7.0.16 and prior versions."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "NVD-CWE-Other"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://otrs.com/release-notes/otrs-security-advisory-2020-11/",
              "refsource": "CONFIRM",
              "tags": [
                "Release Notes",
                "Vendor Advisory"
              ],
              "url": "https://otrs.com/release-notes/otrs-security-advisory-2020-11/"
            },
            {
              "name": "[debian-lts-announce] 20200501 [SECURITY] [DLA 2198-1] otrs2 security update",
              "refsource": "MLIST",
              "tags": [
                "Mailing List",
                "Third Party Advisory"
              ],
              "url": "https://lists.debian.org/debian-lts-announce/2020/05/msg00000.html"
            },
            {
              "name": "[debian-lts-announce] 20230831 [SECURITY] [DLA 3551-1] otrs2 security update",
              "refsource": "MLIST",
              "tags": [],
              "url": "https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "SINGLE",
            "availabilityImpact": "NONE",
            "baseScore": 4.0,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "NONE",
            "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
            "version": "2.0"
          },
          "exploitabilityScore": 8.0,
          "impactScore": 2.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.9,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "exploitabilityScore": 1.2,
          "impactScore": 3.6
        }
      },
      "lastModifiedDate": "2023-08-31T03:15Z",
      "publishedDate": "2020-04-28T14:15Z"
    }
  }
}

FKIE_CVE-2020-1774

Vulnerability from fkie_nvd - Published: 2020-04-28 14:15 - Updated: 2024-11-21 05:11

Severity ?

4.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N
4.9 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Summary

References

URL	Tags
security@otrs.com	https://lists.debian.org/debian-lts-announce/2020/05/msg00000.html	Mailing List, Third Party Advisory
security@otrs.com	https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html
security@otrs.com	https://otrs.com/release-notes/otrs-security-advisory-2020-11/	Release Notes, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://lists.debian.org/debian-lts-announce/2020/05/msg00000.html	Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html
af854a3a-2127-422b-91ae-364da2661108	https://otrs.com/release-notes/otrs-security-advisory-2020-11/	Release Notes, Vendor Advisory

Impacted products

Vendor	Product	Version
otrs	otrs	*
otrs	otrs	*
otrs	otrs	*
debian	debian_linux	8.0

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:otrs:otrs:*:*:*:*:community:*:*:*",
              "matchCriteriaId": "06492F1B-5810-429D-BB78-8706F9E74AEE",
              "versionEndIncluding": "5.0.42",
              "versionStartIncluding": "5.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:otrs:otrs:*:*:*:*:community:*:*:*",
              "matchCriteriaId": "03EA383C-3BB5-46CF-AEBE-C2B3B92446A6",
              "versionEndIncluding": "6.0.27",
              "versionStartIncluding": "6.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:otrs:otrs:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "59B100A3-DB5D-466B-BFA3-094EB95A0E4E",
              "versionEndIncluding": "7.0.16",
              "versionStartIncluding": "7.0.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "When user downloads PGP or S/MIME keys/certificates, exported file has same name for private and public keys. Therefore it\u0027s possible to mix them and to send private key to the third-party instead of public key. This issue affects ((OTRS)) Community Edition: 5.0.42 and prior versions, 6.0.27 and prior versions. OTRS: 7.0.16 and prior versions."
    },
    {
      "lang": "es",
      "value": "Cuando el usuario descarga claves y certificados de PGP o S/MIME, el archivo exportado presenta el mismo nombre para las claves privadas y p\u00fablicas. Por lo tanto, es posible mezclarlos y enviar la clave privada a un tercero en lugar de la clave p\u00fablica. Este problema afecta a ((OTRS)) Community Edition: versiones 5.0.42 y anteriores, versiones 6.0.27 y anteriores. OTRS: versiones 7.0.16 y anteriores."
    }
  ],
  "id": "CVE-2020-1774",
  "lastModified": "2024-11-21T05:11:21.797",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "SINGLE",
          "availabilityImpact": "NONE",
          "baseScore": 4.0,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "NONE",
          "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 8.0,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 4.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "HIGH",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 0.9,
        "impactScore": 3.6,
        "source": "security@otrs.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 4.9,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "HIGH",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 1.2,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2020-04-28T14:15:14.283",
  "references": [
    {
      "source": "security@otrs.com",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "https://lists.debian.org/debian-lts-announce/2020/05/msg00000.html"
    },
    {
      "source": "security@otrs.com",
      "url": "https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html"
    },
    {
      "source": "security@otrs.com",
      "tags": [
        "Release Notes",
        "Vendor Advisory"
      ],
      "url": "https://otrs.com/release-notes/otrs-security-advisory-2020-11/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "https://lists.debian.org/debian-lts-announce/2020/05/msg00000.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Release Notes",
        "Vendor Advisory"
      ],
      "url": "https://otrs.com/release-notes/otrs-security-advisory-2020-11/"
    }
  ],
  "sourceIdentifier": "security@otrs.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-201"
        }
      ],
      "source": "security@otrs.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "NVD-CWE-Other"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

WID-SEC-W-2023-2222

Vulnerability from csaf_certbund - Published: 2020-04-26 22:00 - Updated: 2023-08-30 22:00

Summary

OTRS: Schwachstelle ermöglicht Offenlegung von Informationen

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung

Das Open Ticket Request System (OTRS) ist ein Ticketsystem für Help-Desks.

Angriff

Ein entfernter, authentisierter Angreifer kann eine Schwachstelle in OTRS ausnutzen, um Informationen offenzulegen.

Betroffene Betriebssysteme

- UNIX - Linux - MacOS X - Windows

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "niedrig"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "Das Open Ticket Request System (OTRS) ist ein Ticketsystem f\u00fcr Help-Desks.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein entfernter, authentisierter Angreifer kann eine Schwachstelle in OTRS ausnutzen, um Informationen offenzulegen.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- UNIX\n- Linux\n- MacOS X\n- Windows",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2023-2222 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2020/wid-sec-w-2023-2222.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2023-2222 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2023-2222"
      },
      {
        "category": "external",
        "summary": "Debian Security Advisory DLA-3551 vom 2023-08-31",
        "url": "https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html"
      },
      {
        "category": "external",
        "summary": "OTRS Security Advisory vom 2020-04-26",
        "url": "https://community.otrs.com/de/security-advisory-2020-11/"
      },
      {
        "category": "external",
        "summary": "Debian Security Advisory DLA 2198 vom 2020-05-01",
        "url": "https://lists.debian.org/debian-lts-announce/2020/debian-lts-announce-202005/msg00000.html"
      }
    ],
    "source_lang": "en-US",
    "title": "OTRS: Schwachstelle erm\u00f6glicht Offenlegung von Informationen",
    "tracking": {
      "current_release_date": "2023-08-30T22:00:00.000+00:00",
      "generator": {
        "date": "2024-08-15T17:57:51.726+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.3.5"
        }
      },
      "id": "WID-SEC-W-2023-2222",
      "initial_release_date": "2020-04-26T22:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2020-04-26T22:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        },
        {
          "date": "2020-05-03T22:00:00.000+00:00",
          "number": "2",
          "summary": "Neue Updates von Debian aufgenommen"
        },
        {
          "date": "2023-08-30T22:00:00.000+00:00",
          "number": "3",
          "summary": "Neue Updates von Debian aufgenommen"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Debian Linux",
            "product": {
              "name": "Debian Linux",
              "product_id": "2951",
              "product_identification_helper": {
                "cpe": "cpe:/o:debian:debian_linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Debian"
      },
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "OTRS OTRS \u003c 7.0.17",
                "product": {
                  "name": "OTRS OTRS \u003c 7.0.17",
                  "product_id": "T016371",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:otrs:otrs:7.0.17"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "OTRS OTRS \u003c  6.0.28 Community",
                "product": {
                  "name": "OTRS OTRS \u003c  6.0.28 Community",
                  "product_id": "T016372",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:otrs:otrs:6.0.28_community"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "OTRS OTRS \u003c  5.0.43 Community",
                "product": {
                  "name": "OTRS OTRS \u003c  5.0.43 Community",
                  "product_id": "T016373",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:otrs:otrs:5.0.43_community"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "OTRS"
          }
        ],
        "category": "vendor",
        "name": "OTRS"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2020-1774",
      "notes": [
        {
          "category": "description",
          "text": "Es existiert eine Schwachstelle in OTRS. Wenn der Benutzer PGP- oder S/MIME-Schl\u00fcssel und Zertifikate herunterl\u00e4dt, hat die exportierte Datei f\u00fcr private und \u00f6ffentliche Schl\u00fcssel denselben Namen. Deshalb k\u00f6nnen die Schl\u00fcssel verwechselt werden, und versehentlich der Private Schl\u00fcssel vom Nutzer ver\u00f6ffentlicht werden. In der Folge kann ein Angreifer Informationen offenlegen."
        }
      ],
      "product_status": {
        "known_affected": [
          "2951"
        ]
      },
      "release_date": "2020-04-26T22:00:00.000+00:00",
      "title": "CVE-2020-1774"
    }
  ]
}

GHSA-5G6P-JP4C-37Q4

Vulnerability from github – Published: 2022-05-24 17:16 – Updated: 2023-08-31 03:30

Details

Severity ?

4.9 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2020-1774"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-201"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-04-28T14:15:00Z",
    "severity": "MODERATE"
  },
  "details": "When user downloads PGP or S/MIME keys/certificates, exported file has same name for private and public keys. Therefore it\u0027s possible to mix them and to send private key to the third-party instead of public key. This issue affects ((OTRS)) Community Edition: 5.0.42 and prior versions, 6.0.27 and prior versions. OTRS: 7.0.16 and prior versions.",
  "id": "GHSA-5g6p-jp4c-37q4",
  "modified": "2023-08-31T03:30:36Z",
  "published": "2022-05-24T17:16:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-1774"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2020/05/msg00000.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html"
    },
    {
      "type": "WEB",
      "url": "https://otrs.com/release-notes/otrs-security-advisory-2020-11"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2020-1774 (GCVE-0-2020-1774)

CNVD-2020-32426

GSD-2020-1774

FKIE_CVE-2020-1774

WID-SEC-W-2023-2222

GHSA-5G6P-JP4C-37Q4

Tags

Sightings

Nomenclature