Lucene search

Veracode Vulnerability DatabaseVERACODE:46634

HistoryApr 26, 2024 - 7:33 a.m.

Privilege Escalation

2024-04-2607:33:32

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

github

glpi-project

msi package installer

local user

glpi server

agent service

malicious server

unauthorized deploy tasks

vulnerability

7.3 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

7 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.2%

JSON

github.com/glpi-project/glpi-agent is vulnerable to Privilege Escalation. The vulnerability is due to improper security controls in the MSI package installer that allow a local user to manipulate the GLPI server URL or disable the agent service, and in some cases, configure a malicious server to execute unauthorized deploy tasks.

CPENameOperatorVersion
github.com/glpi-project/glpi-agentle1.7.1
github.com/glpi-project/glpi-agentle1.7.1

CPE	Name	Operator	Version
	github.com/glpi-project/glpi-agent	le	1.7.1
	github.com/glpi-project/glpi-agent	le	1.7.1

References

github.com/glpi-project/glpi-agent/commit/41bbb1169e899bd15350a9e2fdbf9269a3b7a14f

github.com/glpi-project/glpi-agent/security/advisories/GHSA-hx3x-mmqg-h3jp

7.3 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

7 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.2%

JSON

Related for VERACODE:46634