NVD Vulnerability Detail

CVE-2017-17476

Summary	Open Ticket Request System (OTRS) 4.0.x before 4.0.28, 5.0.x before 5.0.26, and 6.0.x before 6.0.3, when cookie support is disabled, might allow remote attackers to hijack web sessions and consequently gain privileges via a crafted email.
Publication Date	Dec. 21, 2017, 2:29 a.m.
Registration Date	Jan. 26, 2021, 1:19 p.m.
Last Update	Nov. 21, 2024, 12:18 p.m.

Affected software configurations

Related information, measures and tools

No	URL	タグ
1	https://github.com/OTRS/otrs/commit/26707eaaa791648e6c7ad6aeaa27efd70e7c66eb	Patch Third Party Advisory
2	https://github.com/OTRS/otrs/commit/26707eaaa791648e6c7ad6aeaa27efd70e7c66eb	Patch Third Party Advisory
3	https://github.com/OTRS/otrs/commit/36e3be99cfe8a9e09afa1b75fdc39f3e28f561fc	Patch Third Party Advisory
4	https://github.com/OTRS/otrs/commit/36e3be99cfe8a9e09afa1b75fdc39f3e28f561fc	Patch Third Party Advisory
5	https://github.com/OTRS/otrs/commit/720c73fbf53e476ca7dfdf2ae1d4d3d2aad2b953	Patch Third Party Advisory
6	https://github.com/OTRS/otrs/commit/720c73fbf53e476ca7dfdf2ae1d4d3d2aad2b953	Patch Third Party Advisory
7	https://lists.debian.org/debian-lts-announce/2017/12/msg00018.html	Mailing List Third Party Advisory
8	https://lists.debian.org/debian-lts-announce/2017/12/msg00018.html	Mailing List Third Party Advisory
9	https://www.debian.org/security/2017/dsa-4069	Third Party Advisory
10	https://www.debian.org/security/2017/dsa-4069	Third Party Advisory
11	https://www.otrs.com/security-advisory-2017-10-security-update-otrs-framework/	Patch Vendor Advisory
12	https://www.otrs.com/security-advisory-2017-10-security-update-otrs-framework/	Patch Vendor Advisory

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-200	情報漏えい	https://cwe.mitre.org/data/definitions/200.html

JVN Vulnerability Information

Open Ticket Request System における認可・権限・アクセス制御に関する脆弱性

Title	Open Ticket Request System における認可・権限・アクセス制御に関する脆弱性
Summary	Open Ticket Request System (OTRS) には、認可・権限・アクセス制御に関する脆弱性が存在します。
Possible impacts	情報を取得される、情報を改ざんされる、およびサービス運用妨害 (DoS) 状態にされる可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	Dec. 19, 2017, midnight
Registration Date	Jan. 26, 2018, 11:57 a.m.
Last Update	Jan. 26, 2018, 11:57 a.m.

Affected System

Debian

Debian GNU/Linux 8.0

Debian GNU/Linux 9.0

OTRS プロジェクト

OTRS 4.0.28 未満の 4.0.x

OTRS 5.0.26 未満の 5.0.x

OTRS 6.0.3 未満の 6.0.x

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2017-17476	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17476
National Vulnerability Database (NVD)
2	CVE-2017-17476	https://nvd.nist.gov/vuln/detail/CVE-2017-17476

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-264	https://jvndb.jvn.jp/ja/cwe/CWE-264.html

ベンダー情報

No	Name	URL
Debian Security Advisory
1	DSA-4069	https://www.debian.org/security/2017/dsa-4069
GitHub
2	Improved parameter appending. (26707ea)	https://github.com/OTRS/otrs/commit/26707eaaa791648e6c7ad6aeaa27efd70e7c66eb
3	Improved parameter appending. (36e3be9)	https://github.com/OTRS/otrs/commit/36e3be99cfe8a9e09afa1b75fdc39f3e28f561fc
4	Improved parameter appending. (720c73f)	https://github.com/OTRS/otrs/commit/720c73fbf53e476ca7dfdf2ae1d4d3d2aad2b953
Security Advisory
5	OSA-2017-10	https://www.otrs.com/security-advisory-2017-10-security-update-otrs-framework/

Change Log

No	Changed Details	Date of change
0	[2018年01月26日] 掲載	Feb. 17, 2018, 10:37 a.m.