Lucene search

GoogleOSV:CVE-2023-46727

HistoryDec 13, 2023 - 7:15 p.m.

CVE-2023-46727

2023-12-1319:15:08

Google

osv.dev

glpi

sql injection

vulnerability

inventory endpoint

patched

version 10.0.11

software

workaround

disable native inventory

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

7.8

Confidence

Low

EPSS

0.001

Percentile

29.9%

JSON

GLPI is a free asset and IT management software package. Starting in version 10.0.0 and prior to version 10.0.11, GLPI inventory endpoint can be used to drive a SQL injection attack. Version 10.0.11 contains a patch for the issue. As a workaround, disable native inventory.

References

github.com/glpi-project/glpi/commit/ee2d674481ebef177037e8e14d35c9455b5cfd46

github.com/glpi-project/glpi/releases/tag/10.0.11

github.com/glpi-project/glpi/security/advisories/GHSA-v799-2mp3-wgfr

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

7.8

Confidence

Low

EPSS

0.001

Percentile

29.9%

JSON

Related for OSV:CVE-2023-46727