GitHub_MVULNRICHMENT:CVE-2024-28241CVE-2024-28241 GlPI-Agent MSI package installation doesn't update folder security profile when using non default installation folder
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
AI Score
Confidence
High
SSVC
Exploitation
none
Automatable
no
Technical Impact
total
The GLPI Agent is a generic management agent. Prior to version 1.7.2, a local user can modify GLPI-Agent code or used DLLs to modify agent logic and even gain higher privileges. Users should upgrade to GLPI-Agent 1.7.2 to receive a patch. As a workaround, use the default installation folder which involves installed folder is automatically secured by the system.
ADP Affected
[
{
"cpes": [
"cpe:2.3:a:gldpi-project:gldpi-agent:*:*:*:*:*:*:*:*"
],
"vendor": "gldpi-project",
"product": "gldpi-agent",
"versions": [
{
"status": "affected",
"version": "*"
}
],
"defaultStatus": "unknown"
}
]Related
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
AI Score
Confidence
High
SSVC
Exploitation
none
Automatable
no
Technical Impact
total