Upstream information

CVE-2023-5422 at MITRE


The functions to fetch e-mail via POP3 or IMAP as well as sending e-mail via SMTP use OpenSSL for static SSL or TLS based communication. As the SSL_get_verify_result() function is not used the certificated is trusted always and it can not be ensured that the certificate satisfies all necessary security requirements. This could allow an attacker to use an invalid certificate to claim to be a trusted host, use expired certificates, or conduct other attacks that could be detected if the certificate is properly validated. This issue affects OTRS: from 7.0.X before 7.0.47, from 8.0.X before 8.0.37; ((OTRS)) Community Edition: from 6.0.X through 6.0.34.

SUSE information

Overall state of this security issue: Does not affect SUSE products

This issue is currently rated as having important severity.

CVSS v3 Scores
  National Vulnerability Database
Base Score 8.7
Vector CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N
Attack Vector Network
Attack Complexity High
Privileges Required None
User Interaction None
Scope Changed
Confidentiality Impact High
Integrity Impact High
Availability Impact None
CVSSv3 Version 3.1
SUSE Bugzilla entry: 1216286 [RESOLVED / WONTFIX]

No SUSE Security Announcements cross referenced.

SUSE Timeline for this CVE

CVE page created: Mon Oct 16 12:00:18 2023
CVE page last modified: Wed Oct 25 16:33:19 2023