CVE-2021-36100: 
Linux Debian vulnerability analysis and mitigation

A critical security vulnerability (CVE-2021-36100) was discovered in OTRS (Open-Source Ticket Request System) that allows the execution of arbitrary system commands through specially crafted strings in the system configuration. The vulnerability was identified in 2021 and affects multiple versions of OTRS, including OTRS 8.0.x, 7.0.x, OTRSSTORM 8.0.x, 7.0.x, 6.0.x, SystemMonitoring 8.0.x, 7.0.x, 6.0.x, and ((OTRS)) Community Edition 6.0.x (OTRS Advisory).

The vulnerability has been assigned a CVSS v3.1 base score of 8.8 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The issue involves the execution of system commands through multiple attack vectors including generic agents, MIME-Viewer settings, dashboard widgets, and Sendmail and PostMaster pre-filter configurations (OTRS Advisory, Debian Advisory).

The vulnerability allows attackers with appropriate access to execute arbitrary system commands on the affected OTRS installation, potentially leading to complete system compromise. This could result in unauthorized access to sensitive information, system manipulation, and service disruption (OTRS Advisory).

The vulnerability has been fixed in OTRS versions 8.0.20, 7.0.33, OTRSSTORM 8.0.12, 7.0.28, and SystemMonitoring 8.0.9, 7.0.19. The fix includes removing configurable system commands from generic agents, removing MIME-Viewer settings, removing dashboard widget support for command execution, and deactivating support for execution of configurable system commands from Sendmail and PostMaster pre-filter configurations (OTRS Advisory, Debian Advisory).