CVE-2024-43446 (GCVE-0-2024-43446)
Vulnerability from cvelistv5
Published
2025-01-27 05:58
Modified
2025-02-12 20:41
Severity ?
3.5 (Low) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
CWE
  • CWE-269 - Improper Privilege Management
Summary
An improper privilege management vulnerability in OTRS Generic Interface module allows change of the Ticket status even if the user only has ro permissions. This issue affects: * OTRS 7.0.X * OTRS 8.0.X * OTRS 2023.X * OTRS 2024.X * ((OTRS)) Community Edition: 6.0.x Products based on the ((OTRS)) Community Edition also very likely to be affected
References
Impacted products
Vendor Product Version
OTRS AG OTRS Version: 7.0.x
Version: 8.0.x
Version: 2023.x
Version: 2024.x
Version: 2025.x
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-43446",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-01-27T13:36:20.253690Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-12T20:41:31.804Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "affected",
          "modules": [
            "Generic Interface"
          ],
          "product": "OTRS",
          "vendor": "OTRS AG",
          "versions": [
            {
              "status": "affected",
              "version": "7.0.x"
            },
            {
              "status": "affected",
              "version": "8.0.x"
            },
            {
              "status": "affected",
              "version": "2023.x"
            },
            {
              "status": "affected",
              "version": "2024.x"
            },
            {
              "lessThan": "2025.1.x",
              "status": "affected",
              "version": "2025.x",
              "versionType": "Patch"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "((OTRS)) Community Edition",
          "vendor": "OTRS AG",
          "versions": [
            {
              "lessThanOrEqual": "6.0.34",
              "status": "affected",
              "version": "6.0.x",
              "versionType": "All"
            }
          ]
        }
      ],
      "datePublic": "2025-01-27T08:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "An improper privilege management vulnerability in OTRS Generic Interface module allows change of the Ticket status even if the user only has ro permissions. \u003cbr\u003e\u003cp\u003e\u003c/p\u003e\u003cp\u003eThis issue affects: \u003c/p\u003e\u003cul\u003e\u003cli\u003eOTRS 7.0.X\u003cbr\u003e\u003c/li\u003e\u003cli\u003eOTRS 8.0.X\u003c/li\u003e\u003cli\u003eOTRS 2023.X\u003c/li\u003e\u003cli\u003eOTRS 2024.X\u003cbr\u003e\u003c/li\u003e\u003cli\u003e((OTRS)) Community Edition: 6.0.x\u003cbr\u003e\u003c/li\u003e\u003c/ul\u003e\u003cdiv\u003eProducts based on the ((OTRS)) Community Edition also very likely to be affected\u003c/div\u003e\u003cbr\u003e\u003cp\u003e\u003c/p\u003e"
            }
          ],
          "value": "An improper privilege management vulnerability in OTRS Generic Interface module allows change of the Ticket status even if the user only has ro permissions. \n\nThis issue affects: \n\n  *  OTRS 7.0.X\n\n  *  OTRS 8.0.X\n  *  OTRS 2023.X\n  *  OTRS 2024.X\n\n  *  ((OTRS)) Community Edition: 6.0.x\n\nProducts based on the ((OTRS)) Community Edition also very likely to be affected"
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-233",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-233 Privilege Escalation"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 3.5,
            "baseSeverity": "LOW",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-269",
              "description": "CWE-269 Improper Privilege Management",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-01-27T05:58:29.271Z",
        "orgId": "2e1bf29f-dc29-4ed8-830c-7b9348b6f0e8",
        "shortName": "OTRS"
      },
      "references": [
        {
          "url": "https://otrs.com/release-notes/otrs-security-advisory-2025-02/"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Update to OTRS 2025.1.x. Please note that there will be no OTRS 7 patches\u003cbr\u003e"
            }
          ],
          "value": "Update to OTRS 2025.1.x. Please note that there will be no OTRS 7 patches"
        }
      ],
      "source": {
        "advisory": "OSA-2025-02",
        "defect": [
          "Issue#3124",
          "Ticket#2024081942000891"
        ],
        "discovery": "USER"
      },
      "title": "Improper check of permissions in Generic Interface",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "2e1bf29f-dc29-4ed8-830c-7b9348b6f0e8",
    "assignerShortName": "OTRS",
    "cveId": "CVE-2024-43446",
    "datePublished": "2025-01-27T05:58:29.271Z",
    "dateReserved": "2024-08-13T13:38:47.973Z",
    "dateUpdated": "2025-02-12T20:41:31.804Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-43446\",\"sourceIdentifier\":\"security@otrs.com\",\"published\":\"2025-01-27T06:15:24.033\",\"lastModified\":\"2025-01-27T06:15:24.033\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"An improper privilege management vulnerability in OTRS Generic Interface module allows change of the Ticket status even if the user only has ro permissions. \\n\\nThis issue affects: \\n\\n  *  OTRS 7.0.X\\n\\n  *  OTRS 8.0.X\\n  *  OTRS 2023.X\\n  *  OTRS 2024.X\\n\\n  *  ((OTRS)) Community Edition: 6.0.x\\n\\nProducts based on the ((OTRS)) Community Edition also very likely to be affected\"},{\"lang\":\"es\",\"value\":\"Una vulnerabilidad de administraci\u00f3n de privilegios incorrecta en el m\u00f3dulo de interfaz gen\u00e9rica de OTRS permite cambiar el estado del ticket incluso si el usuario solo tiene permisos ro. Este problema afecta a: * OTRS 7.0.X * OTRS 8.0.X * OTRS 2023.X * OTRS 2024.X * ((OTRS)) Community Edition: 6.0.x Es muy probable que los productos basados ??en ((OTRS)) Community Edition tambi\u00e9n se vean afectados\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security@otrs.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N\",\"baseScore\":3.5,\"baseSeverity\":\"LOW\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.1,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"security@otrs.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-269\"}]}],\"references\":[{\"url\":\"https://otrs.com/release-notes/otrs-security-advisory-2025-02/\",\"source\":\"security@otrs.com\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-43446\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-01-27T13:36:20.253690Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-02-12T20:36:35.059Z\"}}], \"cna\": {\"title\": \"Improper check of permissions in Generic Interface\", \"source\": {\"defect\": [\"Issue#3124\", \"Ticket#2024081942000891\"], \"advisory\": \"OSA-2025-02\", \"discovery\": \"USER\"}, \"impacts\": [{\"capecId\": \"CAPEC-233\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-233 Privilege Escalation\"}]}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 3.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"LOW\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"NONE\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"OTRS AG\", \"modules\": [\"Generic Interface\"], \"product\": \"OTRS\", \"versions\": [{\"status\": \"affected\", \"version\": \"7.0.x\"}, {\"status\": \"affected\", \"version\": \"8.0.x\"}, {\"status\": \"affected\", \"version\": \"2023.x\"}, {\"status\": \"affected\", \"version\": \"2024.x\"}, {\"status\": \"affected\", \"version\": \"2025.x\", \"lessThan\": \"2025.1.x\", \"versionType\": \"Patch\"}], \"defaultStatus\": \"affected\"}, {\"vendor\": \"OTRS AG\", \"product\": \"((OTRS)) Community Edition\", \"versions\": [{\"status\": \"affected\", \"version\": \"6.0.x\", \"versionType\": \"All\", \"lessThanOrEqual\": \"6.0.34\"}], \"defaultStatus\": \"affected\"}], \"solutions\": [{\"lang\": \"en\", \"value\": \"Update to OTRS 2025.1.x. Please note that there will be no OTRS 7 patches\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"Update to OTRS 2025.1.x. Please note that there will be no OTRS 7 patches\u003cbr\u003e\", \"base64\": false}]}], \"datePublic\": \"2025-01-27T08:00:00.000Z\", \"references\": [{\"url\": \"https://otrs.com/release-notes/otrs-security-advisory-2025-02/\"}], \"x_generator\": {\"engine\": \"Vulnogram 0.1.0-dev\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"An improper privilege management vulnerability in OTRS Generic Interface module allows change of the Ticket status even if the user only has ro permissions. \\n\\nThis issue affects: \\n\\n  *  OTRS 7.0.X\\n\\n  *  OTRS 8.0.X\\n  *  OTRS 2023.X\\n  *  OTRS 2024.X\\n\\n  *  ((OTRS)) Community Edition: 6.0.x\\n\\nProducts based on the ((OTRS)) Community Edition also very likely to be affected\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"An improper privilege management vulnerability in OTRS Generic Interface module allows change of the Ticket status even if the user only has ro permissions. \u003cbr\u003e\u003cp\u003e\u003c/p\u003e\u003cp\u003eThis issue affects: \u003c/p\u003e\u003cul\u003e\u003cli\u003eOTRS 7.0.X\u003cbr\u003e\u003c/li\u003e\u003cli\u003eOTRS 8.0.X\u003c/li\u003e\u003cli\u003eOTRS 2023.X\u003c/li\u003e\u003cli\u003eOTRS 2024.X\u003cbr\u003e\u003c/li\u003e\u003cli\u003e((OTRS)) Community Edition: 6.0.x\u003cbr\u003e\u003c/li\u003e\u003c/ul\u003e\u003cdiv\u003eProducts based on the ((OTRS)) Community Edition also very likely to be affected\u003c/div\u003e\u003cbr\u003e\u003cp\u003e\u003c/p\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-269\", \"description\": \"CWE-269 Improper Privilege Management\"}]}], \"providerMetadata\": {\"orgId\": \"2e1bf29f-dc29-4ed8-830c-7b9348b6f0e8\", \"shortName\": \"OTRS\", \"dateUpdated\": \"2025-01-27T05:58:29.271Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-43446\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-02-12T20:41:31.804Z\", \"dateReserved\": \"2024-08-13T13:38:47.973Z\", \"assignerOrgId\": \"2e1bf29f-dc29-4ed8-830c-7b9348b6f0e8\", \"datePublished\": \"2025-01-27T05:58:29.271Z\", \"assignerShortName\": \"OTRS\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.