Headline
CVE-2023-34107: Unauthorized access to knowledge base items
GLPI is a free asset and IT management software package. Versions of the software starting with 9.2.0 and prior to 10.0.8 have an incorrect rights check on a on a file accessible by an authenticated user, allows access to the view all KnowbaseItems. Version 10.0.8 has a patch for this issue.
Moderate
trasher published GHSA-966h-xrf5-pmj4
Jul 5, 2023
Package
glpi (glpi)
Affected versions
>= 9.2.0
Patched versions
10.0.8
Description
Impact
Incorrect rights check on a file allows access by an authenticated user to all knowledge base items.
Patches
Upgrade to 10.0.8.
For more information
If you have any questions or comments about this advisory, mail us at [email protected].
Severity
Moderate
6.5
/ 10
CVSS base metrics
Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CVE ID
CVE-2023-34107
Weaknesses
CWE-284
Credits
- flegastelois Finder