Headline
CVE-2023-34106: Unauthorized access to user data
GLPI is a free asset and IT management software package. Versions of the software starting with 0.68 and prior to 10.0.8 have an incorrect rights check on a on a file accessible by an authenticated user. This allows access to the list of all users and their personal information. Users should upgrade to version 10.0.8 to receive a patch.
Moderate
trasher published GHSA-923r-hqh4-wj7c
Jul 5, 2023
Package
glpi (glpi)
Affected versions
>= 0.68
Patched versions
10.0.8
Description
Impact
Incorrect rights check on a file allows access by an authenticated user to the list of all users and their personal information.
Patches
Upgrade to 10.0.8.
For more information
If you have any questions or comments about this advisory, mail us at glpi-security@ow2.org.
Severity
Moderate
6.5
/ 10
CVSS base metrics
Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CVE ID
CVE-2023-34106
Weaknesses
CWE-284
Credits
- flegastelois Finder