CVE-2022-39051 (GCVE-0-2022-39051)
Vulnerability from cvelistv5 – Published: 2022-09-05 06:40 – Updated: 2024-09-16 17:18
VLAI?
Title
Perl Code execution in Template Toolkit
Summary
Attacker might be able to execute malicious Perl code in the Template toolkit, by having the admin installing an unverified 3th party package
Severity ?
6.8 (Medium)
CWE
- CWE-913 - Improper Control of Dynamically-Managed Code Resources
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| OTRS AG | OTRS |
Affected:
7.0.x 7.0.36
Affected: 8.0.x 8.0.24 |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T11:10:32.406Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://otrs.com/release-notes/otrs-security-advisory-2022-12/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "OTRS",
"vendor": "OTRS AG",
"versions": [
{
"status": "affected",
"version": "7.0.x 7.0.36"
},
{
"status": "affected",
"version": "8.0.x 8.0.24"
}
]
},
{
"product": "((OTRS)) Community Edition",
"vendor": "OTRS AG",
"versions": [
{
"lessThan": "6.0.x*",
"status": "affected",
"version": "6.0.1",
"versionType": "custom"
}
]
}
],
"datePublic": "2022-09-05T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Attacker might be able to execute malicious Perl code in the Template toolkit, by having the admin installing an unverified 3th party package"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-913",
"description": "CWE-913 Improper Control of Dynamically-Managed Code Resources",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-09-05T06:40:12",
"orgId": "2e1bf29f-dc29-4ed8-830c-7b9348b6f0e8",
"shortName": "OTRS"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://otrs.com/release-notes/otrs-security-advisory-2022-12/"
}
],
"solutions": [
{
"lang": "en",
"value": "Update to OTRS 8.0.25 or OTRS 7.0.37."
}
],
"source": {
"advisory": "OSA-2022-12",
"defect": [
"2022042942000784"
],
"discovery": "USER"
},
"title": "Perl Code execution in Template Toolkit",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@otrs.com",
"DATE_PUBLIC": "2022-09-05T07:00:00.000Z",
"ID": "CVE-2022-39051",
"STATE": "PUBLIC",
"TITLE": "Perl Code execution in Template Toolkit"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "OTRS",
"version": {
"version_data": [
{
"version_name": "7.0.x",
"version_value": "7.0.36"
},
{
"version_name": "8.0.x",
"version_value": "8.0.24"
}
]
}
},
{
"product_name": "((OTRS)) Community Edition",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_name": "6.0.x",
"version_value": "6.0.1"
}
]
}
}
]
},
"vendor_name": "OTRS AG"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Attacker might be able to execute malicious Perl code in the Template toolkit, by having the admin installing an unverified 3th party package"
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-913 Improper Control of Dynamically-Managed Code Resources"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://otrs.com/release-notes/otrs-security-advisory-2022-12/",
"refsource": "CONFIRM",
"url": "https://otrs.com/release-notes/otrs-security-advisory-2022-12/"
}
]
},
"solution": [
{
"lang": "en",
"value": "Update to OTRS 8.0.25 or OTRS 7.0.37."
}
],
"source": {
"advisory": "OSA-2022-12",
"defect": [
"2022042942000784"
],
"discovery": "USER"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "2e1bf29f-dc29-4ed8-830c-7b9348b6f0e8",
"assignerShortName": "OTRS",
"cveId": "CVE-2022-39051",
"datePublished": "2022-09-05T06:40:12.771350Z",
"dateReserved": "2022-08-31T00:00:00",
"dateUpdated": "2024-09-16T17:18:42.122Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"fkie_nvd": {
"configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:otrs:otrs:*:*:*:*:community:*:*:*\", \"versionStartIncluding\": \"6.0.0\", \"versionEndIncluding\": \"6.0.32\", \"matchCriteriaId\": \"2330DDC0-20DF-4031-A4A3-017F0E73C08A\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:otrs:otrs:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"7.0.0\", \"versionEndExcluding\": \"7.0.37\", \"matchCriteriaId\": \"CDB57B12-C33A-499A-AD20-7608053FB2B1\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:otrs:otrs:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"8.0.0\", \"versionEndExcluding\": \"8.0.25\", \"matchCriteriaId\": \"3F9BA949-D450-43E5-907C-CC981270C588\"}]}]}]",
"descriptions": "[{\"lang\": \"en\", \"value\": \"Attacker might be able to execute malicious Perl code in the Template toolkit, by having the admin installing an unverified 3th party package\"}, {\"lang\": \"es\", \"value\": \"El atacante podr\\u00eda ser capaz de ejecutar c\\u00f3digo Perl malicioso en el kit de herramientas Template, haciendo que el administrador instale un paquete de 3\\u00aa parte no verificado\"}]",
"id": "CVE-2022-39051",
"lastModified": "2024-11-21T07:17:27.460",
"metrics": "{\"cvssMetricV31\": [{\"source\": \"security@otrs.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H\", \"baseScore\": 6.8, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"HIGH\", \"userInteraction\": \"REQUIRED\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 0.9, \"impactScore\": 5.9}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\", \"baseScore\": 8.8, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 5.9}]}",
"published": "2022-09-05T07:15:08.117",
"references": "[{\"url\": \"https://otrs.com/release-notes/otrs-security-advisory-2022-12/\", \"source\": \"security@otrs.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://otrs.com/release-notes/otrs-security-advisory-2022-12/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}]",
"sourceIdentifier": "security@otrs.com",
"vulnStatus": "Modified",
"weaknesses": "[{\"source\": \"security@otrs.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-913\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-913\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2022-39051\",\"sourceIdentifier\":\"security@otrs.com\",\"published\":\"2022-09-05T07:15:08.117\",\"lastModified\":\"2024-11-21T07:17:27.460\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Attacker might be able to execute malicious Perl code in the Template toolkit, by having the admin installing an unverified 3th party package\"},{\"lang\":\"es\",\"value\":\"El atacante podr\u00eda ser capaz de ejecutar c\u00f3digo Perl malicioso en el kit de herramientas Template, haciendo que el administrador instale un paquete de 3\u00aa parte no verificado\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security@otrs.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H\",\"baseScore\":6.8,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":0.9,\"impactScore\":5.9},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security@otrs.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-913\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-913\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:otrs:otrs:*:*:*:*:community:*:*:*\",\"versionStartIncluding\":\"6.0.0\",\"versionEndIncluding\":\"6.0.32\",\"matchCriteriaId\":\"2330DDC0-20DF-4031-A4A3-017F0E73C08A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:otrs:otrs:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"7.0.0\",\"versionEndExcluding\":\"7.0.37\",\"matchCriteriaId\":\"CDB57B12-C33A-499A-AD20-7608053FB2B1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:otrs:otrs:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"8.0.0\",\"versionEndExcluding\":\"8.0.25\",\"matchCriteriaId\":\"3F9BA949-D450-43E5-907C-CC981270C588\"}]}]}],\"references\":[{\"url\":\"https://otrs.com/release-notes/otrs-security-advisory-2022-12/\",\"source\":\"security@otrs.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://otrs.com/release-notes/otrs-security-advisory-2022-12/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}"
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…