Vulnerability CVE-2023-35939: Information
Description
GLPI is a free asset and IT management software package. Starting in version 9.5.0 and prior to version 10.0.8, an incorrect rights check on a on a file accessible by an authenticated user (or not for certain actions), allows a threat actor to interact, modify, or see Dashboard data. Version 10.0.8 contains a patch for this issue.
Severity: HIGH (8.1) Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Published: July 6, 2023
Modified: July 11, 2023
Fixed packages
Package name | Branch | Fixed in version | Version from repository | Errata ID | Task # | State |
---|---|---|---|---|---|---|
glpi | sisyphus | 10.0.9-alt1 | 10.0.15-alt1 | ALT-PU-2023-4552-1 | 325568 | Fixed |
glpi | sisyphus_e2k | 10.0.9-alt1 | 10.0.15-alt1 | ALT-PU-2023-4673-1 | - | Fixed |
glpi | p10 | 10.0.10-alt1 | 10.0.15-alt1 | ALT-PU-2023-7633-2 | 335195 | Fixed |
glpi | p10_e2k | 10.0.10-alt1 | 10.0.15-alt1 | ALT-PU-2023-7912-1 | - | Fixed |
glpi | c10f1 | 10.0.15-alt1 | 10.0.15-alt1 | ALT-PU-2024-8030-2 | 348513 | Fixed |
glpi | p11 | 10.0.9-alt1 | 10.0.15-alt1 | ALT-PU-2023-4552-1 | 325568 | Fixed |
References to Advisories, Solutions, and Tools
Hyperlink | Resource |
---|---|
https://github.com/glpi-project/glpi/security/advisories/GHSA-cjcx-pwcx-v34c |
|
https://github.com/glpi-project/glpi/releases/tag/10.0.8 |
|