Remote inventory task command injection when using ssh command mode
CVE-2023-34254

7.7HIGH

Key Information:

Vendor: Glpi-project
Status: Glpi-agent
Vendor: CVE Published:; 23 June 2023

Summary

The GLPI Agent, utilized for system management, exhibits a command injection vulnerability in its remote inventory task on Unix systems. Administrators can inadvertently allow malicious users to inject commands in a specific workflow. If the agent operates with elevated privileges, attackers could exploit this flaw to gain unauthorized access and manipulate system functions. This vulnerability also exposes configuration data for all remote accesses used by the agent. The issue has been addressed in version 1.5 of the GLPI Agent, urging users to update promptly to mitigate risks.

Affected Version(s)

glpi-agent < 1.5

References

https://github.com/glpi-project/glpi-agent/security/advis...

x_refsource_CONFIRM

https://github.com/glpi-project/glpi-agent/blob/dd313ee09...

x_refsource_MISC

CVSS V3.1

Score:

7.7

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Adjacent Network

Attack Complexity:

High

Privileges Required:

High

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Jun 23, 2023
Vulnerability Reserved
May 31, 2023