Vulnerability CVE-2023-35924: Information
Description
GLPI is a free asset and IT management software package. Starting in version 10.0.0 and prior to version 10.0.8, GLPI inventory endpoint can be used to drive a SQL injection attack. By default, GLPI inventory endpoint requires no authentication. Version 10.0.8 has a patch for this issue. As a workaround, one may disable native inventory.
Severity: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Fixed packages
Package name | Branch | Fixed in version | Version from repository | Errata ID | Task # | State |
---|---|---|---|---|---|---|
glpi | sisyphus | 10.0.9-alt1 | 10.0.15-alt1 | ALT-PU-2023-4552-1 | 325568 | Fixed |
glpi | sisyphus_e2k | 10.0.9-alt1 | 10.0.15-alt1 | ALT-PU-2023-4673-1 | - | Fixed |
glpi | p10 | 10.0.10-alt1 | 10.0.15-alt1 | ALT-PU-2023-7633-2 | 335195 | Fixed |
glpi | p10_e2k | 10.0.10-alt1 | 10.0.15-alt1 | ALT-PU-2023-7912-1 | - | Fixed |
glpi | c10f1 | 10.0.15-alt1 | 10.0.15-alt1 | ALT-PU-2024-8030-2 | 348513 | Fixed |
glpi | p11 | 10.0.9-alt1 | 10.0.15-alt1 | ALT-PU-2023-4552-1 | 325568 | Fixed |
References to Advisories, Solutions, and Tools
Hyperlink | Resource |
---|---|
https://github.com/glpi-project/glpi/security/advisories/GHSA-gxh4-j63w-8jmm |
|
https://github.com/glpi-project/glpi/releases/tag/10.0.8 |
|