CVE-2022-4427 - Vulnerability Details - OpenCVE

Improper Input Validation vulnerability in OTRS AG OTRS, OTRS AG ((OTRS)) Community Edition allows SQL Injection via TicketSearch Webservice This issue affects OTRS: from 7.0.1 before 7.0.40 Patch 1, from 8.0.1 before 8.0.28 Patch 1; ((OTRS)) Community Edition: from 6.0.1 through 6.0.34.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Otrs	Otrs

Configuration 1 [-]

OR	cpe:2.3:a:otrs:otrs:::::community:::*
	cpe:2.3:a:otrs:otrs::::::::
	cpe:2.3:a:otrs:otrs::::::::
	cpe:2.3:a:otrs:otrs:7.0.40:-::::::
	cpe:2.3:a:otrs:otrs:8.0.28:-::::::

No data.

References

Link	Providers
https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html
https://otrs.com/release-notes/otrs-security-advisory-2022-15/

History

Mon, 14 Apr 2025 18:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 13 Feb 2025 16:45:00 +0000

Type	Values Removed	Values Added
Description	Improper Input Validation vulnerability in OTRS AG OTRS, OTRS AG ((OTRS)) Community Edition allows SQL Injection via TicketSearch Webservice This issue affects OTRS: from 7.0.1 before 7.0.40 Patch 1, from 8.0.1 before 8.0.28 Patch 1; ((OTRS)) Community Edition: from 6.0.1 through 6.0.34.	Improper Input Validation vulnerability in OTRS AG OTRS, OTRS AG ((OTRS)) Community Edition allows SQL Injection via TicketSearch Webservice This issue affects OTRS: from 7.0.1 before 7.0.40 Patch 1, from 8.0.1 before 8.0.28 Patch 1; ((OTRS)) Community Edition: from 6.0.1 through 6.0.34.

MITRE

Status: PUBLISHED

Assigner: OTRS

Published: 2022-12-19T08:09:51.646Z

Updated: 2025-04-14T18:03:54.260Z

Reserved: 2022-12-12T16:11:40.741Z

Link: CVE-2022-4427

Vulnrichment

Updated: 2024-08-03T01:41:44.619Z

NVD

Status : Modified

Published: 2022-12-19T09:15:09.707

Modified: 2025-02-13T17:15:50.667

Link: CVE-2022-4427

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2022-4427", "assignerOrgId": "2e1bf29f-dc29-4ed8-830c-7b9348b6f0e8", "state": "PUBLISHED", "assignerShortName": "OTRS", "requesterUserId": "e1930910-48a6-4f4e-9306-261ea8c0e8b1", "dateReserved": "2022-12-12T16:11:40.741Z", "datePublished": "2022-12-19T08:09:51.646Z", "dateUpdated": "2025-04-14T18:03:54.260Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "affected", "modules": ["Generic Interface"], "product": "OTRS", "vendor": "OTRS AG", "versions": [{"lessThan": "7.0.40 Patch 1", "status": "affected", "version": "7.0.1", "versionType": "Patch 1 (2022-12-19)"}, {"lessThan": "8.0.28 Patch 1", "status": "affected", "version": "8.0.1", "versionType": "Patch 1 (2022-12-19)"}]}, {"defaultStatus": "affected", "modules": ["Generic Interface"], "product": "((OTRS)) Community Edition", "vendor": "OTRS AG", "versions": [{"lessThanOrEqual": "6.0.34", "status": "affected", "version": "6.0.1", "versionType": "All"}]}], "configurations": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "TicketSearch Webservice has to be configured<br>"}], "value": "TicketSearch Webservice has to be configured"}], "credits": [{"lang": "en", "type": "reporter", "user": "00000000-0000-4000-9000-000000000000", "value": "Special thanks to Tim P\u00fcttmanns for reporting these vulnerability."}], "datePublic": "2022-12-19T08:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Input Validation vulnerability in OTRS AG OTRS, OTRS AG ((OTRS)) Community Edition allows SQL Injection via TicketSearch Webservice<br><p>This issue affects OTRS: from 7.0.1 before 7.0.40 Patch 1, from 8.0.1 before 8.0.28 Patch 1; ((OTRS)) Community Edition: from 6.0.1 through 6.0.34.</p>"}], "value": "Improper Input Validation vulnerability in OTRS AG OTRS, OTRS AG ((OTRS)) Community Edition allows SQL Injection via TicketSearch Webservice\nThis issue affects OTRS: from 7.0.1 before 7.0.40 Patch 1, from 8.0.1 before 8.0.28 Patch 1; ((OTRS)) Community Edition: from 6.0.1 through 6.0.34."}], "impacts": [{"capecId": "CAPEC-66", "descriptions": [{"lang": "en", "value": "CAPEC-66 SQL Injection"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "description": "CWE-20 Improper Input Validation", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "2e1bf29f-dc29-4ed8-830c-7b9348b6f0e8", "shortName": "OTRS", "dateUpdated": "2023-08-31T02:06:34.631Z"}, "references": [{"url": "https://otrs.com/release-notes/otrs-security-advisory-2022-15/"}, {"url": "https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Update to OTRS 7.0.40 Patch 1 or OTRS 8.0.28 Patch 1 released on 19th December 2022<br>"}], "value": "Update to OTRS 7.0.40 Patch 1 or OTRS 8.0.28 Patch 1 released on 19th December 2022"}], "source": {"advisory": "OSA-2022-15", "discovery": "EXTERNAL"}, "title": "SQL Injection via OTRS Search API", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T01:41:44.619Z"}, "title": "CVE Program Container", "references": [{"url": "https://otrs.com/release-notes/otrs-security-advisory-2022-15/", "tags": ["x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-04-14T18:03:48.009731Z", "id": "CVE-2022-4427", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-14T18:03:54.260Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://otrs.com/release-notes/otrs-security-advisory-2022-15/", "tags": ["x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T01:41:44.619Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2022-4427", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-04-14T18:03:48.009731Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-14T14:41:02.186Z"}}], "cna": {"title": "SQL Injection via OTRS Search API", "source": {"advisory": "OSA-2022-15", "discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "reporter", "user": "00000000-0000-4000-9000-000000000000", "value": "Special thanks to Tim P\u00fcttmanns for reporting these vulnerability."}], "impacts": [{"capecId": "CAPEC-66", "descriptions": [{"lang": "en", "value": "CAPEC-66 SQL Injection"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "OTRS AG", "modules": ["Generic Interface"], "product": "OTRS", "versions": [{"status": "affected", "version": "7.0.1", "lessThan": "7.0.40 Patch 1", "versionType": "Patch 1 (2022-12-19)"}, {"status": "affected", "version": "8.0.1", "lessThan": "8.0.28 Patch 1", "versionType": "Patch 1 (2022-12-19)"}], "defaultStatus": "affected"}, {"vendor": "OTRS AG", "modules": ["Generic Interface"], "product": "((OTRS)) Community Edition", "versions": [{"status": "affected", "version": "6.0.1", "versionType": "All", "lessThanOrEqual": "6.0.34"}], "defaultStatus": "affected"}], "solutions": [{"lang": "en", "value": "Update to OTRS 7.0.40 Patch 1 or OTRS 8.0.28 Patch 1 released on 19th December 2022", "supportingMedia": [{"type": "text/html", "value": "Update to OTRS 7.0.40 Patch 1 or OTRS 8.0.28 Patch 1 released on 19th December 2022<br>", "base64": false}]}], "datePublic": "2022-12-19T08:00:00.000Z", "references": [{"url": "https://otrs.com/release-notes/otrs-security-advisory-2022-15/"}, {"url": "https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "Improper Input Validation vulnerability in OTRS AG OTRS, OTRS AG ((OTRS)) Community Edition allows SQL Injection via TicketSearch Webservice\nThis issue affects OTRS: from 7.0.1 before 7.0.40 Patch 1, from 8.0.1 before 8.0.28 Patch 1; ((OTRS)) Community Edition: from 6.0.1 through 6.0.34.", "supportingMedia": [{"type": "text/html", "value": "Improper Input Validation vulnerability in OTRS AG OTRS, OTRS AG ((OTRS)) Community Edition allows SQL Injection via TicketSearch Webservice<br><p>This issue affects OTRS: from 7.0.1 before 7.0.40 Patch 1, from 8.0.1 before 8.0.28 Patch 1; ((OTRS)) Community Edition: from 6.0.1 through 6.0.34.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-20", "description": "CWE-20 Improper Input Validation"}]}], "configurations": [{"lang": "en", "value": "TicketSearch Webservice has to be configured", "supportingMedia": [{"type": "text/html", "value": "TicketSearch Webservice has to be configured<br>", "base64": false}]}], "providerMetadata": {"orgId": "2e1bf29f-dc29-4ed8-830c-7b9348b6f0e8", "shortName": "OTRS", "dateUpdated": "2023-08-31T02:06:34.631Z"}}}, "cveMetadata": {"cveId": "CVE-2022-4427", "state": "PUBLISHED", "dateUpdated": "2025-04-14T18:03:54.260Z", "dateReserved": "2022-12-12T16:11:40.741Z", "assignerOrgId": "2e1bf29f-dc29-4ed8-830c-7b9348b6f0e8", "datePublished": "2022-12-19T08:09:51.646Z", "requesterUserId": "e1930910-48a6-4f4e-9306-261ea8c0e8b1", "assignerShortName": "OTRS"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:otrs:otrs:*:*:*:*:community:*:*:*", "matchCriteriaId": "F4C2FF02-9A6F-435D-A55A-D2F085BD1FB2", "versionEndIncluding": "6.0.34", "versionStartIncluding": "6.0.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:otrs:otrs:*:*:*:*:*:*:*:*", "matchCriteriaId": "FF2A3E3C-3DDF-4242-B173-1EDBFD99D7AC", "versionEndExcluding": "7.0.40", "versionStartIncluding": "7.0.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:otrs:otrs:*:*:*:*:*:*:*:*", "matchCriteriaId": "4430231E-14C4-4C7F-8CA7-F8E36B639ADB", "versionEndExcluding": "8.0.28", "versionStartIncluding": "8.0.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:otrs:otrs:7.0.40:-:*:*:*:*:*:*", "matchCriteriaId": "222528AA-E7BC-4FFC-A420-83798C8E9B7E", "vulnerable": true}, {"criteria": "cpe:2.3:a:otrs:otrs:8.0.28:-:*:*:*:*:*:*", "matchCriteriaId": "3169243C-9150-4E99-8E36-F6EB34D5EDE7", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Input Validation vulnerability in OTRS AG OTRS, OTRS AG ((OTRS)) Community Edition allows SQL Injection via TicketSearch Webservice\nThis issue affects OTRS: from 7.0.1 before 7.0.40 Patch 1, from 8.0.1 before 8.0.28 Patch 1; ((OTRS)) Community Edition: from 6.0.1 through 6.0.34."}, {"lang": "es", "value": "Vulnerabilidad de validaci\u00f3n de entrada incorrecta en OTRS AG OTRS, OTRS AG ((OTRS)) Community Edition permite la inyecci\u00f3n de SQL a trav\u00e9s de TicketSearch Webservice. Este problema afecta a OTRS: desde 7.0.1 antes de 7.0.40 parche 1, desde 8.0.1 antes de 8.0.28 parche 1 ; ((OTRS)) Community Edition: desde 6.0.1 hasta 6.0.34.\n "}], "id": "CVE-2022-4427", "lastModified": "2025-02-13T17:15:50.667", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security@otrs.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-12-19T09:15:09.707", "references": [{"source": "security@otrs.com", "url": "https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html"}, {"source": "security@otrs.com", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://otrs.com/release-notes/otrs-security-advisory-2022-15/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://otrs.com/release-notes/otrs-security-advisory-2022-15/"}], "sourceIdentifier": "security@otrs.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "security@otrs.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-89"}], "source": "nvd@nist.gov", "type": "Primary"}]}