Lucene search

PRIOn knowledge basePRION:CVE-2023-28633

HistoryApr 05, 2023 - 4:15 p.m.

Server side request forgery (ssrf)

2023-04-0516:15:00

PRIOn knowledge base

www.prio-n.com

glpi software

version 0.84

version 9.5.13

version 10.0.7

ssrf

rss feed

autodiscovery

vulnerability

6.5 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

30.8%

JSON

GLPI is a free asset and IT management software package. Starting in version 0.84 and prior to versions 9.5.13 and 10.0.7, usage of RSS feeds is subject to server-side request forgery (SSRF). In case the remote address is not a valid RSS feed, an RSS autodiscovery feature is triggered. This feature does not check safety or URLs. Versions 9.5.13 and 10.0.7 contain a patch for this issue.

CPENameOperatorVersion
glpige10.0.0
glpilt10.0.7
glpige0.84
glpilt9.5.13

Name	Operator	Version
glpi	ge	10.0.0
glpi	lt	10.0.7
glpi	ge	0.84
glpi	lt	9.5.13

References

github.com/glpi-project/glpi/commit/e2819da64c9075050805a44c834e1f4dc621a982

github.com/glpi-project/glpi/releases/tag/10.0.7

github.com/glpi-project/glpi/releases/tag/9.5.13

github.com/glpi-project/glpi/security/advisories/GHSA-r57v-j88m-rwwf