Headline
CVE-2023-36808: SQL injection through Computer Virtual Machine information
GLPI is a free asset and IT management software package. Starting in version 0.80 and prior to version 10.0.8, Computer Virtual Machine form and GLPI inventory request can be used to perform a SQL injection attack. Version 10.0.8 has a patch for this issue. As a workaround, one may disable native inventory.
High
trasher published GHSA-vf5h-jh9q-2gjm
Jul 5, 2023
Package
glpi (glpi)
Affected versions
>= 0.80
Patched versions
10.0.8
Description
Impact
Computer Virtual Machine form and GLPI inventory request can be used to perform a SQL injection attack.
Patches
Upgrade to 10.0.8
Workarounds
Disable native inventory and .
For more information
If you have any questions or comments about this advisory, mail us at [email protected].
Severity
High
8.6
/ 10
CVSS base metrics
Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
CVE ID
CVE-2023-36808
Weaknesses
CWE-89