CVE-2021-36097: Agents are able to lock the ticket without the "Owner" permission
First published: Mon Oct 18 2021(Updated: )
Agents are able to lock the ticket without the "Owner" permission. Once the ticket is locked, it could be moved to the queue where the agent has "rw" permissions and gain a full control. This issue affects: OTRS AG OTRS 8.0.x version: 8.0.16 and prior versions.
Credit: security@otrs.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Otrs Otrs | >=8.0.0<=8.0.16 |
Remedy
Update to OTRS 8.0.17.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Frequently Asked Questions
What is CVE-2021-36097?
CVE-2021-36097 is a vulnerability that allows agents to lock a ticket without the "Owner" permission, giving them full control over the ticket.
What software versions are affected by CVE-2021-36097?
CVE-2021-36097 affects OTRS AG OTRS 8.0.x version: 8.0.16 and prior versions.
What is the severity of CVE-2021-36097?
CVE-2021-36097 has a severity keyword of 'medium' and a severity value of 4.3.
How can I fix CVE-2021-36097?
To fix CVE-2021-36097, users should update OTRS to version 8.0.17 or a later secure version.
Where can I find more information about CVE-2021-36097?
More information about CVE-2021-36097 can be found at the following link: [OTRS Security Advisory 2021-20](https://otrs.com/release-notes/otrs-security-advisory-2021-20/).
- collector/nvd-index
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/remedy
- agent/severity
- agent/references
- agent/weakness
- agent/title
- agent/author
- agent/tags
- agent/last-modified-date
- agent/description
- agent/first-publish-date
- agent/event
- vendor/otrs
- canonical/otrs otrs
- version/otrs otrs/8.0.0
- version/otrs otrs/8.0.16