CVE-2023-5422

EPSS 0.19%
Veröffentlicht 16.10.2023 09:15:12
Zuletzt bearbeitet 21.11.2024 08:41:44
Quelle security@otrs.com
CVE-Watchlists
Login
Unerledigt
Login

The functions to fetch e-mail via POP3 or IMAP as well as sending e-mail via SMTP use OpenSSL for static SSL or TLS based communication. As the 
SSL_get_verify_result() function is not used the certificated is trusted always and it can not be ensured that the certificate 
satisfies all necessary security requirements.

This could allow an 
attacker to use an invalid certificate to claim to be a trusted host, 
use expired certificates, or conduct other attacks that could be 
detected if the certificate is properly validated.

This issue affects OTRS: from 7.0.X before 7.0.47, from 8.0.X before 8.0.37; ((OTRS)) Community Edition: from 6.0.X through 6.0.34.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 4

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Otrs ≫ Otrs SwEditioncommunity Version >= 6.0.0 <= 6.0.34

Otrs ≫ Otrs Version >= 7.0.0 < 7.0.47

Otrs ≫ Otrs Version >= 8.0.0 < 8.0.37

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.19%	0.409

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9.1	3.9	5.2	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
security@otrs.com	8.7	2.2	5.8	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N

CWE-295 Improper Certificate Validation

The product does not validate, or incorrectly validates, a certificate.

https://otrs.com/release-notes/otrs-security-advisory-2023-10/

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2023-5422

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-5422

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-5422

EUVD