CVE-2018-7562 - OpenCVE

A remote code execution issue was discovered in GLPI through 9.2.1. There is a race condition that allows temporary access to an uploaded executable file that will be disallowed. The application allows an authenticated user to upload a file when he/she creates a new ticket via front/fileupload.php. This feature is protected using different types of security features like the check on the file's extension. However, the application uploads and creates a file, though this file is not allowed, and then deletes the file in the uploadFiles method in inc/glpiuploaderhandler.class.php.

No CVSS v3.1

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Medium

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:M/Au:S/C:P/I:P/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Glpi-project	Glpi

Configuration 1 [-]

cpe:2.3:a:glpi-project:glpi:*:*:*:*:*:*:*:*

References

Link	Resource
https://github.com/glpi-project/glpi/pull/3650	Issue Tracking Third Party Advisory
https://membership.backbox.org/glpi-9-2-1-multiple-vulnerabilities/	Permissions Required

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2018-03-12T21:00:00

Updated: 2018-03-12T20:57:01

Reserved: 2018-02-28T00:00:00

Link: CVE-2018-7562

JSON object: View

NVD Information

Status : Analyzed

Published: 2018-03-12T21:29:01.140

Modified: 2018-04-11T15:02:27.880

Link: CVE-2018-7562

JSON object: View

Redhat Information

No data.

CWE

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2018-02-28T00:00:00", "descriptions": [{"lang": "en", "value": "A remote code execution issue was discovered in GLPI through 9.2.1. There is a race condition that allows temporary access to an uploaded executable file that will be disallowed. The application allows an authenticated user to upload a file when he/she creates a new ticket via front/fileupload.php. This feature is protected using different types of security features like the check on the file's extension. However, the application uploads and creates a file, though this file is not allowed, and then deletes the file in the uploadFiles method in inc/glpiuploaderhandler.class.php."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-03-12T20:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/glpi-project/glpi/pull/3650"}, {"tags": ["x_refsource_MISC"], "url": "https://membership.backbox.org/glpi-9-2-1-multiple-vulnerabilities/"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2018-7562", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A remote code execution issue was discovered in GLPI through 9.2.1. There is a race condition that allows temporary access to an uploaded executable file that will be disallowed. The application allows an authenticated user to upload a file when he/she creates a new ticket via front/fileupload.php. This feature is protected using different types of security features like the check on the file's extension. However, the application uploads and creates a file, though this file is not allowed, and then deletes the file in the uploadFiles method in inc/glpiuploaderhandler.class.php."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://github.com/glpi-project/glpi/pull/3650", "refsource": "CONFIRM", "url": "https://github.com/glpi-project/glpi/pull/3650"}, {"name": "https://membership.backbox.org/glpi-9-2-1-multiple-vulnerabilities/", "refsource": "MISC", "url": "https://membership.backbox.org/glpi-9-2-1-multiple-vulnerabilities/"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2018-7562", "datePublished": "2018-03-12T21:00:00", "dateReserved": "2018-02-28T00:00:00", "dateUpdated": "2018-03-12T20:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:glpi-project:glpi:*:*:*:*:*:*:*:*", "matchCriteriaId": "DD1A974E-670F-4145-8843-C7F46CE01E63", "versionEndIncluding": "9.2.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A remote code execution issue was discovered in GLPI through 9.2.1. There is a race condition that allows temporary access to an uploaded executable file that will be disallowed. The application allows an authenticated user to upload a file when he/she creates a new ticket via front/fileupload.php. This feature is protected using different types of security features like the check on the file's extension. However, the application uploads and creates a file, though this file is not allowed, and then deletes the file in the uploadFiles method in inc/glpiuploaderhandler.class.php."}, {"lang": "es", "value": "Se ha descubierto un problema de ejecuci\u00f3n remota de c\u00f3digo en GLPI hasta la versi\u00f3n 9.2.1. Hay una condici\u00f3n de carrera que permite el acceso temporal a un archivo ejecutable subido que posteriormente aparecer\u00e1 como no permitido. La aplicaci\u00f3n permite que un usuario autenticado suba un archivo cuando crea un nuevo ticket mediante front/fileupload.php. Esta caracter\u00edstica est\u00e1 protegida por medio de diferentes tipos de caracter\u00edsticas de seguridad, como la comprobaci\u00f3n en la extensi\u00f3n del archivo. Sin embargo, la aplicaci\u00f3n sube y crea un archivo, aunque este archivo no est\u00e9 permitido, para despu\u00e9s eliminar el archivo en el m\u00e9todo uploadFiles en inc/glpiuploaderhandler.class.php."}], "id": "CVE-2018-7562", "lastModified": "2018-04-11T15:02:27.880", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 1.6, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-03-12T21:29:01.140", "references": [{"source": "cve@mitre.org", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://github.com/glpi-project/glpi/pull/3650"}, {"source": "cve@mitre.org", "tags": ["Permissions Required"], "url": "https://membership.backbox.org/glpi-9-2-1-multiple-vulnerabilities/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-362"}, {"lang": "en", "value": "CWE-434"}], "source": "nvd@nist.gov", "type": "Primary"}]}