Lucene search

GitHub_MCVELIST:CVE-2023-34106

HistoryJul 05, 2023 - 5:48 p.m.

CVE-2023-34106 GLPI vulnerable to unauthorized access to User data

2023-07-0517:48:32

CWE-284

CWE-863

GitHub_M

www.cve.org

cve-2023-34106

glpi

unauthorized access

user data

software vulnerability

patch

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

0.001 Low

EPSS

Percentile

30.4%

JSON

GLPI is a free asset and IT management software package. Versions of the software starting with 0.68 and prior to 10.0.8 have an incorrect rights check on a on a file accessible by an authenticated user. This allows access to the list of all users and their personal information. Users should upgrade to version 10.0.8 to receive a patch.

CNA Affected

[
  {
    "vendor": "glpi-project",
    "product": "glpi",
    "versions": [
      {
        "version": ">= 0.68, < 10.0.8",
        "status": "affected"
      }
    ]
  }
]

References

github.com/glpi-project/glpi/releases/tag/10.0.8

github.com/glpi-project/glpi/security/advisories/GHSA-923r-hqh4-wj7c

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

0.001 Low

EPSS

Percentile

30.4%

JSON

Related for CVELIST:CVE-2023-34106