Vulnerability CVE-2023-46727: Information
Description
GLPI is a free asset and IT management software package. Starting in version 10.0.0 and prior to version 10.0.11, GLPI inventory endpoint can be used to drive a SQL injection attack. Version 10.0.11 contains a patch for the issue. As a workaround, disable native inventory.
Severity: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Fixed packages
Package name | Branch | Fixed in version | Version from repository | Errata ID | Task # | State |
---|---|---|---|---|---|---|
glpi | sisyphus | 10.0.11-alt1 | 10.0.15-alt1 | ALT-PU-2023-8061-1 | 336499 | Fixed |
glpi | sisyphus_e2k | 10.0.11-alt1 | 10.0.15-alt1 | ALT-PU-2023-8115-1 | - | Fixed |
glpi | sisyphus_loongarch64 | 10.0.11-alt1 | 10.0.15-alt1 | ALT-PU-2023-8103-1 | - | Fixed |
glpi | p10 | 10.0.11-alt1 | 10.0.15-alt1 | ALT-PU-2023-8087-2 | 336575 | Fixed |
glpi | p10_e2k | 10.0.11-alt1 | 10.0.15-alt1 | ALT-PU-2023-8161-1 | - | Fixed |
glpi | c10f1 | 10.0.15-alt1 | 10.0.15-alt1 | ALT-PU-2024-8030-2 | 348513 | Fixed |
glpi | p11 | 10.0.11-alt1 | 10.0.15-alt1 | ALT-PU-2023-8061-1 | 336499 | Fixed |