CVE-2021-21439

unknown

Published — · Modified —

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

—

CVSS v4 NEW

—

not yet in upstream

VIR risk

—

Description

DoS attack can be performed when an email contains specially designed URL in the body. It can lead to the high CPU usage and cause low quality of service, or in extreme case bring the system to a halt. This issue affects: OTRS AG ((OTRS)) Community Edition 6.0.x version 6.0.1 and later versions. OTRS AG OTRS 7.0.x version 7.0.26 and prior versions; 8.0.x version 8.0.13 and prior versions.

Predictions

Exploit likelihood

20%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

Mitigation details

Source: Debian Security Tracker · View original ↗ · DFSG

CVE-2021-21439 NameCVE-2021-21439 DescriptionDoS attack can be performed when an email contains specially designed URL in the body. It can lead to the high CPU usage and cause low quality of service, or in extreme case bring the system to a halt. This issue affects: OTRS AG ((OTRS)) Community Edition 6.0.x version 6.0.1 and later versions. OTRS AG OTRS 7.0.x version 7.0.26 and prior versions;…

CVE-2021-21439

Name	CVE-2021-21439
Description	DoS attack can be performed when an email contains specially designed URL in the body. It can lead to the high CPU usage and cause low quality of service, or in extreme case bring the system to a halt. This issue affects: OTRS AG ((OTRS)) Community Edition 6.0.x version 6.0.1 and later versions. OTRS AG OTRS 7.0.x version 7.0.26 and prior versions; 8.0.x version 8.0.13 and prior versions.
Source	CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DLA-3551-1
Debian Bugs	989992

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
otrs2 (PTS)	bullseye/non-free	6.0.32-6	fixed
znuny (PTS)	bookworm/non-free	6.5.1-1	fixed
	trixie/non-free	6.5.15-2	fixed
	forky/non-free	6.5.20-1	fixed
	sid/non-free	6.5.21-1	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Origin	Debian Bugs
otrs2	source	buster	6.0.16-2+deb10u1	DLA-3551-1
otrs2	source	(unstable)	6.0.32-5		989992
znuny	source	(unstable)	(not affected)

Notes

[stretch] - otrs2 <no-dsa> (Non-free not supported)
- znuny <not-affected> (Fixed before initial upload to Debian)
https://otrs.com/release-notes/otrs-security-advisory-2021-09/
Fixed by: https://github.com/znuny/Znuny/commit/b67e43f73dbb3c029504a082c7807677ed091d23 (rel-6_0_33)

Home - Debian Security - Source (Git)

Apply commands

text fix

Notes

[stretch] - otrs2 <no-dsa> (Non-free not supported)- znuny <not-affected> (Fixed before initial upload to Debian)https://otrs.com/release-notes/otrs-security-advisory-2021-09/Fixed by: https://github.com/znuny/Znuny/commit/b67e43f73dbb3c029504a082c7807677ed091d23 (rel-6_0_33)

OS impact

OS	Version	Status	Fixed in
debian	bullseye	fixed	`6.0.32-5`
debian	bookworm	fixed	`0`
debian	forky	fixed	`0`
debian	sid	fixed	`0`
debian	trixie	fixed	`0`

References

https://security-tracker.debian.org/tracker/CVE-2021-21439

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.