Vulnerability CVE-2023-23610: Information

Description

GLPI is a Free Asset and IT Management Software package. Versions prior to 9.5.12 and 10.0.6 are vulnerable to Improper Privilege Management. Any user having access to the standard interface can export data of almost any GLPI item type, even those on which user is not allowed to access (including assets, tickets, users, ...). This issue is patched in 10.0.6.

Severity: MEDIUM (6.5) Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

URL: https://nvd.nist.gov/vuln/detail/CVE-2023-23610
Published: Jan. 27, 2023
Modified: Feb. 2, 2023
Error type identifier: CWE-732

Fixed packages

Package name
Branch
Fixed in version
Version from repository
Errata ID
Task #
State
glpisisyphus10.0.6-alt110.0.15-alt1ALT-PU-2023-1471-1316952Fixed
glpisisyphus_e2k10.0.6-alt110.0.15-alt1ALT-PU-2023-2895-1-Fixed
glpip109.5.12-alt110.0.15-alt1ALT-PU-2023-1490-1316955Fixed
glpip10_e2k9.5.12-alt110.0.15-alt1ALT-PU-2023-2949-1-Fixed
glpip99.5.12-alt19.5.13-alt1ALT-PU-2023-1537-1317348Fixed
glpip9_e2k9.5.13-alt19.5.13-alt1ALT-PU-2023-5377-1-Fixed
glpic10f19.5.12-alt19.5.13-alt1ALT-PU-2023-1490-1316955Fixed

References to Advisories, Solutions, and Tools

Hyperlink
Resource
https://github.com/glpi-project/glpi/security/advisories/GHSA-6565-hm87-24hf
  • Third Party Advisory

    1. Configuration 1

      cpe:2.3:a:glpi-project:glpi:*:*:*:*:*:*:*:*
      Start including
      10.0.0
      End excliding
      10.0.6
      cpe:2.3:a:glpi-project:glpi:*:*:*:*:*:*:*:*
      Start including
      0.65
      End excliding
      9.5.12
VKontakte|Telegram|YouTube|Forum|GitHub|Bugzilla
Version: v24.5.1
Back to top