Vulnerability Name:

CVE-2020-1774 (CCN-180991)

Assigned:2019-11-29
Published:2020-04-27
Updated:2021-09-14
Summary:When user downloads PGP or S/MIME keys/certificates, exported file has same name for private and public keys. Therefore it's possible to mix them and to send private key to the third-party instead of public key. This issue affects ((OTRS)) Community Edition: 5.0.42 and prior versions, 6.0.27 and prior versions. OTRS: 7.0.16 and prior versions.
CVSS v3 Severity:4.9 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N)
4.3 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): High
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): None
Availibility (A): None
4.5 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N)
3.9 Low (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): High
User Interaction (UI): Required
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): None
Availibility (A): None
CVSS v2 Severity:4.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:N/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): Partial
Integrity (I): None
Availibility (A): None
6.1 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:M/C:C/I:N/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): Multiple_Instances
Impact Metrics:Confidentiality (C): Complete
Integrity (I): None
Availibility (A): None
Vulnerability Type:CWE-Other
Vulnerability Consequences:Obtain Information
References:Source: MITRE
Type: CNA
CVE-2020-1774

Source: XF
Type: UNKNOWN
otrs-cve20201774-info-disc(180991)

Source: MLIST
Type: Mailing List, Third Party Advisory
[debian-lts-announce] 20200501 [SECURITY] [DLA 2198-1] otrs2 security update

Source: CCN
Type: OTRS Security Advisory 2020-11
OTRS Security Advisory 2020-11

Source: CONFIRM
Type: Release Notes, Vendor Advisory
https://otrs.com/release-notes/otrs-security-advisory-2020-11/

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2020-1774

Vulnerable Configuration:Configuration 1:
  • cpe:/a:otrs:otrs:*:*:*:*:community:*:*:* (Version >= 5.0.0 and <= 5.0.42)
  • OR cpe:/a:otrs:otrs:*:*:*:*:community:*:*:* (Version >= 6.0.0 and <= 6.0.27)
  • OR cpe:/a:otrs:otrs:*:*:*:*:*:*:*:* (Version >= 7.0.0 and <= 7.0.16)

    • Configuration 2:
  • cpe:/o:debian:debian_linux:8.0:*:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:otrs:otrs:5.0.42:*:*:*:community:*:*:*
  • OR cpe:/a:otrs:otrs:6.0.27:*:*:*:community:*:*:*
  • OR cpe:/a:otrs:otrs:7.0.16:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    BACK
    otrs otrs *
    otrs otrs *
    otrs otrs *
    debian debian linux 8.0
    otrs otrs 5.0.42
    otrs otrs 6.0.27
    otrs otrs 7.0.16