Headline
CVE-2023-35924: SQL injection via inventory agent request
GLPI is a free asset and IT management software package. Starting in version 10.0.0 and prior to version 10.0.8, GLPI inventory endpoint can be used to drive a SQL injection attack. By default, GLPI inventory endpoint requires no authentication. Version 10.0.8 has a patch for this issue. As a workaround, one may disable native inventory.
High
trasher published GHSA-gxh4-j63w-8jmm
Jul 5, 2023
Package
glpi (glpi)
Affected versions
>= 10.0.0
Patched versions
10.0.8
Description
Impact
GLPI inventory endpoint can be used to drive a SQL injection attack.
Patches
Upgrade to 10.0.8
Workarounds
Disable native inventory.
For more information
If you have any questions or comments about this advisory, mail us at [email protected].
Severity
High
8.6
/ 10
CVSS base metrics
Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
CVE ID
CVE-2023-35924
Weaknesses
CWE-89