CVE-2022-24867

EPSS 0.36%
Veröffentlicht 21.04.2022 17:15:08
Zuletzt bearbeitet 21.11.2024 06:51:16
Quelle security-advisories@github.com
Teams Watchlist Login
Unerledigt Login

GLPI is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. When you pass the config to the javascript, some entries are filtered out. The variable ldap_pass is not filtered and when you look at the source code of the rendered page, we can see the password for the root dn. Users are advised to upgrade. There is no known workaround for this issue.

Betroffene Produkte Warnungen 0 Metriken 4 CWE 2 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Glpi-project ≫ Glpi Version < 10.0.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.36%	0.575

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvd@nist.gov	7.8	10	6.9	AV:N/AC:L/Au:N/C:C/I:N/A:N
security-advisories@github.com	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

CWE-522 Insufficiently Protected Credentials

The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.

https://github.com/glpi-project/glpi/commit/26f0a20810db11641afdcf671bac7a309acbb94e

Patch

Third Party Advisory

https://github.com/glpi-project/glpi/security/advisories/GHSA-4r49-52q9-5fgr

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2022-24867

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2022-24867

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2022-24867

EUVD