Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2022-24867

GLPI is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. When you pass the config to the javascript, some entries are filtered out. The variable ldap_pass is not filtered and when you look at the source code of the rendered page, we can see the password for the root dn. Users are advised to upgrade. There is no known workaround for this issue.

Published

2022-04-21T17:15:08.557

Last Modified

2024-11-21T06:51:16.953

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 7.5 (HIGH)

CVSSv2 Vector

AV:N/AC:L/Au:N/C:C/I:N/A:N

Access Vector: NETWORK
Access Complexity: LOW
Authentication: NONE
Confidentiality Impact: COMPLETE
Integrity Impact: NONE
Availability Impact: NONE

Exploitability Score

10.0

Impact Score

6.9

Weaknesses

Type: Secondary
CWE-200
Type: Primary
CWE-522

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	glpi-project	glpi	< 10.0.0	Yes

References

https://github.com/glpi-project/glpi/commit/26f0a20810db11641afdcf671bac7a309acbb94e Patch, Third Party Advisory ([email protected])
https://github.com/glpi-project/glpi/security/advisories/GHSA-4r49-52q9-5fgr Third Party Advisory ([email protected])
https://github.com/glpi-project/glpi/commit/26f0a20810db11641afdcf671bac7a309acbb94e Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/glpi-project/glpi/security/advisories/GHSA-4r49-52q9-5fgr Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)