SQL Injection via package deployment tasks in glpi-inventory-plugin
CVE-2022-31082

5.8MEDIUM

Key Information:

Vendor: Glpi-project
Status: Glpi-inventory-plugin
Vendor: CVE Published:; 27 June 2022

Summary

GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. glpi-inventory-plugin is a plugin for GLPI to handle inventory management. In affected versions a SQL injection can be made using package deployment tasks. This issue has been resolved in version 1.0.2. Users are advised to upgrade. Users unable to upgrade should delete the front/deploypackage.public.php file if they are not using the deploy tasks feature.

Affected Version(s)

glpi-inventory-plugin < 1.0.2

References

https://github.com/glpi-project/glpi-inventory-plugin/sec...

x_refsource_CONFIRM

https://github.com/glpi-project/glpi-inventory-plugin/com...

x_refsource_MISC

CVSS V3.1

Score:

5.8

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

High

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Jun 27, 2022
Vulnerability Reserved
May 18, 2022