Lucene search

GoogleOSV:CVE-2022-39323

HistoryNov 03, 2022 - 3:15 p.m.

CVE-2022-39323

2022-11-0315:15:12

Google

osv.dev

glpi

it management software

sql injection

patch

upgrade

api rest

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.8 High

AI Score

Confidence

Low

0.001 Low

EPSS

Percentile

50.2%

JSON

GLPI stands for Gestionnaire Libre de Parc Informatique. GLPI is a Free Asset and IT Management Software package that provides ITIL Service Desk features, licenses tracking and software auditing. Time based attack using a SQL injection in api REST user_token. This issue has been patched, please upgrade to version 10.0.4. As a workaround, disable login with user_token on API Rest.

CPENameOperatorVersion
glpieq9.5.0-rc2
glpieq10.0.0-rc1
glpieq10.0.0-rc3
glpieq10.0.3
glpieq9.5.7
glpieq9.5.4
glpieq9.5.1
glpieq9.4.4
glpieq9.4.0-rc1
glpieq9.5.0

Name	Operator	Version
glpi	eq	9.5.0-rc2
glpi	eq	10.0.0-rc1
glpi	eq	10.0.0-rc3
glpi	eq	10.0.3
glpi	eq	9.5.7
glpi	eq	9.5.4
glpi	eq	9.5.1
glpi	eq	9.4.4
glpi	eq	9.4.0-rc1
glpi	eq	9.5.0

Rows per page:

1-10 of 311

References

github.com/glpi-project/glpi/security/advisories/GHSA-cp6q-9p4x-8hr9

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.8 High

AI Score

Confidence

Low

0.001 Low

EPSS

Percentile

50.2%

JSON

Related for OSV:CVE-2022-39323