Vulnerability CVE-2022-35947: Information
Description
GLPI stands for Gestionnaire Libre de Parc Informatique and is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. Affected versions have been found to be vulnerable to a SQL injection attack which an attacker could leverage to simulate an arbitrary user login. Users are advised to upgrade to version 10.0.3. Users unable to upgrade should disable the `Enable login with external token` API configuration.
Severity: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Fixed packages
Package name | Branch | Fixed in version | Version from repository | Errata ID | Task # | State |
---|---|---|---|---|---|---|
glpi | sisyphus | 10.0.3-alt1 | 10.0.15-alt1 | ALT-PU-2022-2614-1 | 306812 | Fixed |
glpi | sisyphus_e2k | 10.0.3-alt1 | 10.0.15-alt1 | ALT-PU-2022-6172-1 | - | Fixed |
glpi | p10 | 9.5.9-alt1 | 10.0.15-alt1 | ALT-PU-2022-2624-1 | 306811 | Fixed |
glpi | p10_e2k | 9.5.9-alt1 | 10.0.15-alt1 | ALT-PU-2022-6268-1 | - | Fixed |
glpi | p9 | 9.5.9-alt1 | 9.5.13-alt1 | ALT-PU-2022-2665-1 | 307140 | Fixed |
glpi | p9_e2k | 9.5.9-alt1 | 9.5.13-alt1 | ALT-PU-2022-6434-1 | - | Fixed |
glpi | c10f1 | 10.0.15-alt1 | 10.0.15-alt1 | ALT-PU-2024-8030-2 | 348513 | Fixed |
glpi | c9f2 | 9.5.13-alt1 | 9.5.13-alt1 | ALT-PU-2024-8094-3 | 348598 | Fixed |
glpi | p11 | 10.0.3-alt1 | 10.0.15-alt1 | ALT-PU-2022-2614-1 | 306812 | Fixed |
References to Advisories, Solutions, and Tools
Hyperlink | Resource |
---|---|
https://github.com/glpi-project/glpi/commit/564309d2c1180d5ba1615f4bbaf6623df81b4962 |
|
https://github.com/glpi-project/glpi/security/advisories/GHSA-7p3q-cffg-c8xh |
|