CVE-2020-1774
Information disclosure
Severity Score
4.9
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
When user downloads PGP or S/MIME keys/certificates, exported file has same name for private and public keys. Therefore it's possible to mix them and to send private key to the third-party instead of public key. This issue affects ((OTRS)) Community Edition: 5.0.42 and prior versions, 6.0.27 and prior versions. OTRS: 7.0.16 and prior versions.
Cuando el usuario descarga claves y certificados de PGP o S/MIME, el archivo exportado presenta el mismo nombre para las claves privadas y públicas. Por lo tanto, es posible mezclarlos y enviar la clave privada a un tercero en lugar de la clave pública. Este problema afecta a ((OTRS)) Community Edition: versiones 5.0.42 y anteriores, versiones 6.0.27 y anteriores. OTRS: versiones 7.0.16 y anteriores.
*Credits:
Matthias Terlinde
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2019-11-29 CVE Reserved
- 2020-04-28 CVE Published
- 2023-08-31 EPSS Updated
- 2024-09-16 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-201: Insertion of Sensitive Information Into Sent Data
CAPEC
References (3)
| URL | Tag | Source |
|---|---|---|
| https://lists.debian.org/debian-lts-announce/2020/05/msg00000.html | Mailing List |
|
| https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html | Mailing List |
|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://otrs.com/release-notes/otrs-security-advisory-2020-11 | 2023-08-31 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Otrs Search vendor "Otrs" | Otrs Search vendor "Otrs" for product "Otrs" | >= 5.0.0 <= 5.0.42 Search vendor "Otrs" for product "Otrs" and version " >= 5.0.0 <= 5.0.42" | community |
Affected
| ||||||
| Otrs Search vendor "Otrs" | Otrs Search vendor "Otrs" for product "Otrs" | >= 6.0.0 <= 6.0.27 Search vendor "Otrs" for product "Otrs" and version " >= 6.0.0 <= 6.0.27" | community |
Affected
| ||||||
| Otrs Search vendor "Otrs" | Otrs Search vendor "Otrs" for product "Otrs" | >= 7.0.0 <= 7.0.16 Search vendor "Otrs" for product "Otrs" and version " >= 7.0.0 <= 7.0.16" | - |
Affected
| ||||||
| Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 8.0 Search vendor "Debian" for product "Debian Linux" and version "8.0" | - |
Affected
| ||||||