Config Items are shown to users without permission
CVE-2021-21437

3.5LOW

Key Information:

Vendor: Otrs Ag
Status: Otrscisincustomerfrontend; Itsmconfigurationmanagement
Vendor: CVE Published:; 22 March 2021

What is CVE-2021-21437?

Agents are able to see linked Config Items without permissions, which are defined in General Catalog. This issue affects: OTRSCIsInCustomerFrontend 7.0.15 and prior versions, ITSMConfigurationManagement 7.0.24 and prior versions

Affected Version(s)

ITSMConfigurationManagement 7.0.x <= 7.0.24

OTRSCIsInCustomerFrontend 7.0.x <= 7.0.15

References

https://otrs.com/release-notes/otrs-security-advisory-202...

x_refsource_MISC

CVSS V3.1

Score:

3.5

Severity:

LOW

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 22, 2021
Vulnerability Reserved
Dec 29, 2020

Credit

Jaroslav Balaz