OTRS Security Advisory 2022-04

Please read carefully and check if the version of your OTRS system is affected by this vulnerability.

Please send information regarding vulnerabilities in OTRS to: security@otrs.org

Security Advisory Details

• ID: OSA-2022-04
• Date: 2022-02-07
• Title: Several vulnerabilities in third-party npm modules
• Severity: 5.8 MEDIUM
• Product: OTRS 8.0.x
• Fixed in: OTRS 8.0.19
• FULL CVSS v3.1 VECTOR: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L
• References: CVE-2021-3803 / CVE-2021-3807 / CVE-2021-23368

PRODUCT AFFECTED:

This issue affects OTRS 8.0.x.

PROBLEM:

There are several vulnerable third-party npm modules which we use in production:

• qrcode – Inefficient Regular Expression Complexity in chalk/ansi-regex (moderate)
• cssnano – Inefficient Regular Expression Complexity in nth-check (moderate)
• cssnano – Regular Expression Denial of Service in postcss (moderate)

This issue affects:

OTRS AG OTRS 8.0.x version 8.0.18 and prior versions.

This issue was found during internal product security testing or research.

• CVE-2021-3803
  CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  nth-check is vulnerable to Inefficient Regular Expression Complexity
• CVE-2021-3807
  CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  ansi-regex is vulnerable to Inefficient Regular Expression Complexity
• CVE-2021-23368
  CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
  The package postcss from 7.0.0 and before 8.2.10 are vulnerable to Regular Expression Denial of Service (ReDoS) during source map parsing.

SOLUTION:

Update to OTRS 8.0.19

This issue is being tracked as 2021101342001598.

MODIFICATION HISTORY:

• 2022-02-07: Initial Publication.

RELATED LINKS:

• • CVE-2021-3803 at cve.mitre.org
  • https://otrs.com/release-notes/otrs-security-advisory-2022-04/

CVSS SCORE:

5.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L)

RISK LEVEL:

MEDIUM