Lucene search

Ubuntu.comUB:CVE-2024-37149

HistoryJul 10, 2024 - 12:00 a.m.

CVE-2024-37149

2024-07-1000:00:00

ubuntu.com

glpi

software

vulnerability

malicious

php

upload

it management

itil service desk

technician

upgrade

unix

CVSS3

7.2

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

AI Score

7.2

Confidence

Low

JSON

GLPI is an open-source asset and IT management software package that
provides ITIL Service Desk features, licenses tracking and software
auditing. An authenticated technician user can upload a malicious PHP
script and hijack the plugin loader to execute this malicious script.
Upgrade to 10.0.16.

OSVersionArchitecturePackageVersionFilename
ubuntu16.04noarchglpi< anyUNKNOWN

OS	Version	Architecture	Package	Version	Filename
ubuntu	16.04	noarch	glpi	< any	UNKNOWN

References

github.com/glpi-project/glpi/security/advisories/GHSA-cwvp-j887-m4xh

launchpad.net/bugs/cve/CVE-2024-37149

nvd.nist.gov/vuln/detail/CVE-2024-37149

security-tracker.debian.org/tracker/CVE-2024-37149

www.cve.org/CVERecord?id=CVE-2024-37149

CVSS3

7.2

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

AI Score

7.2

Confidence

Low

JSON

Related for UB:CVE-2024-37149