SSL Certificates are not checked for E-Mail Handling
CVE-2023-5422

9.1CRITICAL

Key Information:

Vendor: OTRS AG
Status: OTRS; ((OTRS)) Community Edition
Vendor: CVE Published:; 16 October 2023

What is CVE-2023-5422?

A vulnerability in OTRS and (OTRS) Community Edition allows for insecure email communication due to improper handling of SSL/TLS certificate validation. The affected email functions using OpenSSL for POP3, IMAP, and SMTP do not verify the results of SSL_get_verify_result(). As a result, it leads to a scenario where untrusted or expired certificates may be accepted, enabling potential attackers to impersonate trusted hosts or exploit various security weaknesses. This lack of robust certificate verification creates significant risks to the integrity and confidentiality of email communications.

Affected Version(s)

((OTRS)) Community Edition 6.0.x <= 6.0.34

OTRS 7.0.x

OTRS 7.0.x < 7.0.47

References

https://otrs.com/release-notes/otrs-security-advisory-202...

CVSS V3.1

Score:

9.1

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 16, 2023
Vulnerability Reserved
Oct 5, 2023

Credit

Special thanks to Matthias Terlinde for reporting these vulnerability.

OTRS AG

What is CVE-2023-5422?

Affected Version(s)

References

CVSS V3.1

Timeline

Credit