Ubuntu.comUB:CVE-2022-36112CVE-2022-36112
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
EPSS
Percentile
26.2%
GLPI stands for Gestionnaire Libre de Parc Informatique and is a Free Asset
and IT Management Software package, that provides ITIL Service Desk
features, licenses tracking and software auditing. Usage of RSS feeds or
extenal calendar in planning is subject to SSRF exploit. Server-side
requests can be used to scan server port or services opened on GLPI server
or its private network. Queries responses are not exposed to end-user
(blind SSRF). Users are advised to upgrade to version 10.0.3 to resolve
this issue. There are no known workarounds.
References
github.com/glpi-project/glpi/commit/ad66d69049ae02bead8ed0f4ee654a458643244e
github.com/glpi-project/glpi/security/advisories/GHSA-rqgx-gqhp-x8vv
launchpad.net/bugs/cve/CVE-2022-36112
nvd.nist.gov/vuln/detail/CVE-2022-36112
security-tracker.debian.org/tracker/CVE-2022-36112
www.cve.org/CVERecord?id=CVE-2022-36112
Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
EPSS
Percentile
26.2%