{"api_version":"1","generated_at":"2026-04-23T01:33:24+00:00","cve":"CVE-2023-38056","urls":{"html":"https://cve.report/CVE-2023-38056","api":"https://cve.report/api/cve/CVE-2023-38056.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2023-38056","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2023-38056"},"summary":{"title":"CVE-2023-38056","description":"Improper Neutralization of commands allowed to be executed via OTRS System Configuration e.g. SchedulerCronTaskModule using UnitTests modules allows any authenticated attacker with admin privileges local execution of Code.This issue affects OTRS: from 7.0.X before 7.0.45, from 8.0.X before 8.0.35; ((OTRS)) Community Edition: from 6.0.1 through 6.0.34.","state":"PUBLIC","assigner":"security@otrs.com","published_at":"2023-07-24 09:15:00","updated_at":"2023-08-01 17:00:00"},"problem_types":["CWE-78"],"metrics":[],"references":[{"url":"https://otrs.com/release-notes/otrs-security-advisory-2023-05/","name":"https://otrs.com/release-notes/otrs-security-advisory-2023-05/","refsource":"MISC","tags":[],"title":"OTRS Security Advisory 2023-05 | OTRS","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2023-38056","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-38056","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2023","cve_id":"38056","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"otrs","cpe5":"otrs","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"-","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2023","cve_id":"38056","vulnerable":"1","versionEndIncluding":"6.0.34","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"otrs","cpe5":"otrs","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"community","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"data_version":"4.0","data_type":"CVE","data_format":"MITRE","CVE_data_meta":{"ID":"CVE-2023-38056","ASSIGNER":"security@otrs.com","STATE":"PUBLIC"},"description":{"description_data":[{"lang":"eng","value":"Improper Neutralization of commands allowed to be executed via OTRS System Configuration e.g. SchedulerCronTaskModule using UnitTests modules allows any authenticated attacker with admin privileges local execution of Code.This issue affects OTRS: from 7.0.X before 7.0.45, from 8.0.X before 8.0.35; ((OTRS)) Community Edition: from 6.0.1 through 6.0.34.\n\n"}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","cweId":"CWE-78"}]}]},"affects":{"vendor":{"vendor_data":[{"vendor_name":"OTRS AG","product":{"product_data":[{"product_name":"OTRS","version":{"version_data":[{"version_value":"not down converted","x_cve_json_5_version_data":{"versions":[{"lessThan":"7.0.45","status":"affected","version":"7.0.x","versionType":"Patch"},{"lessThan":"8.0.35","status":"affected","version":"8.0.x","versionType":"Patch"}],"defaultStatus":"affected"}}]}},{"product_name":"((OTRS)) Community Edition","version":{"version_data":[{"version_value":"not down converted","x_cve_json_5_version_data":{"versions":[{"lessThanOrEqual":"6.0.34","status":"affected","version":"6.0.1","versionType":"All"}],"defaultStatus":"affected"}}]}}]}}]}},"references":{"reference_data":[{"url":"https://otrs.com/release-notes/otrs-security-advisory-2023-05/","refsource":"MISC","name":"https://otrs.com/release-notes/otrs-security-advisory-2023-05/"}]},"generator":{"engine":"Vulnogram 0.1.0-dev"},"source":{"advisory":"OSA-2023-05","defect":["1025","Ticket#2023041142000636"],"discovery":"EXTERNAL"},"solution":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"Update to OTRS 8.0.35 or OTRS 7.0.45<br>"}],"value":"Update to OTRS 8.0.35 or OTRS 7.0.45\n"}],"credits":[{"lang":"en","value":"Special thanks to Tim Püttmanns for reporting these vulnerability."}],"impact":{"cvss":[{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":7.2,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"HIGH","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H","version":"3.1"}]}},"nvd":{"publishedDate":"2023-07-24 09:15:00","lastModifiedDate":"2023-08-01 17:00:00","problem_types":["CWE-78"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"HIGH","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH","baseScore":7.2,"baseSeverity":"HIGH"},"exploitabilityScore":1.2,"impactScore":5.9}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:otrs:otrs:*:*:*:*:community:*:*:*","versionStartIncluding":"6.0.1","versionEndIncluding":"6.0.34","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:otrs:otrs:*:*:*:*:-:*:*:*","versionStartIncluding":"8.0.0","versionEndExcluding":"8.0.35","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:otrs:otrs:*:*:*:*:-:*:*:*","versionStartIncluding":"7.0.0","versionEndExcluding":"7.0.45","cpe_name":[]}]}]}},"legacy_mitre":{"record":null,"notes":[]}}}