GLPI SQL injection through inventory agent request
CVE-2023-46727

8.6HIGH

Key Information:

Vendor
Glpi-project
Status
Glpi
Vendor
CVE Published:
13 December 2023

Summary

A SQL injection vulnerability exists in versions of GLPI IT Management Software prior to 10.0.11. This vulnerability allows attackers to exploit the inventory endpoint, potentially compromising the integrity and confidentiality of the data stored within GLPI. Users are advised to upgrade to version 10.0.11 or later to mitigate risks. As a temporary measure, disabling the native inventory feature can serve as a workaround while updates are applied.

Affected Version(s)

glpi >= 10.0.0, < 10.0.11

References

https://github.com/glpi-project/glpi/security/advisories/...
x_refsource_CONFIRM
https://github.com/glpi-project/glpi/commit/ee2d674481ebe...
x_refsource_MISC
https://github.com/glpi-project/glpi/releases/tag/10.0.11
x_refsource_MISC

CVSS V3.1

Score:
8.6
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.