Lucene search

[email protected]NVD:CVE-2023-28633

HistoryApr 05, 2023 - 4:15 p.m.

CVE-2023-28633

2023-04-0516:15:08

CWE-918

[email protected]

web.nvd.nist.gov

glpi

rss

ssrf

vulnerability

patched

CVSS3

5.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

AI Score

4.9

Confidence

High

EPSS

0.001

Percentile

30.7%

JSON

GLPI is a free asset and IT management software package. Starting in version 0.84 and prior to versions 9.5.13 and 10.0.7, usage of RSS feeds is subject to server-side request forgery (SSRF). In case the remote address is not a valid RSS feed, an RSS autodiscovery feature is triggered. This feature does not check safety or URLs. Versions 9.5.13 and 10.0.7 contain a patch for this issue.

Affected configurations

Nvd

Node

glpi-projectglpiRange0.84–9.5.13

glpi-projectglpiRange10.0.0–10.0.7

VendorProductVersionCPE
glpi-projectglpi*cpe:2.3:a:glpi-project:glpi:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
glpi-project	glpi	*	cpe:2.3:a:glpi-project:glpi::::::::

References

github.com/glpi-project/glpi/commit/e2819da64c9075050805a44c834e1f4dc621a982

github.com/glpi-project/glpi/releases/tag/10.0.7

github.com/glpi-project/glpi/releases/tag/9.5.13

github.com/glpi-project/glpi/security/advisories/GHSA-r57v-j88m-rwwf

CVSS3

5.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

AI Score

4.9

Confidence

High

EPSS

0.001

Percentile

30.7%

JSON

Related for NVD:CVE-2023-28633

osv1 cve1 ubuntucve1 cvelist1 prion1 freebsd1 redos1