CVE-2020-15108 - OpenCVE

In glpi before 9.5.1, there is a SQL injection for all usages of "Clone" feature. This has been fixed in 9.5.1.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:S/C:P/I:N/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Glpi-project	Glpi

Configuration 1 [-]

cpe:2.3:a:glpi-project:glpi:*:*:*:*:*:*:*:*

References

Link	Resource
https://github.com/glpi-project/glpi/commit/a4baa64114eb92fd2adf6056a36e0582324414ba	Patch Third Party Advisory
https://github.com/glpi-project/glpi/pull/6684	Third Party Advisory
https://github.com/glpi-project/glpi/security/advisories/GHSA-qv6w-68gq-wx2v	Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: GitHub_M

Published: 2020-07-17T20:30:17

Updated: 2020-07-17T20:30:17

Reserved: 2020-06-25T00:00:00

Link: CVE-2020-15108

JSON object: View

NVD Information

Status : Analyzed

Published: 2020-07-17T21:15:12.780

Modified: 2020-07-22T15:38:33.420

Link: CVE-2020-15108

JSON object: View

Redhat Information

No data.

CWE

CWE-89

{"containers": {"cna": {"affected": [{"product": "glpi", "vendor": "glpi-project", "versions": [{"status": "affected", "version": "< 9.5.1"}]}], "descriptions": [{"lang": "en", "value": "In glpi before 9.5.1, there is a SQL injection for all usages of \"Clone\" feature. This has been fixed in 9.5.1."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-07-17T20:30:17", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/glpi-project/glpi/security/advisories/GHSA-qv6w-68gq-wx2v"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/glpi-project/glpi/pull/6684"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/glpi-project/glpi/commit/a4baa64114eb92fd2adf6056a36e0582324414ba"}], "source": {"advisory": "GHSA-qv6w-68gq-wx2v", "discovery": "UNKNOWN"}, "title": "SQL Injection in glpi", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2020-15108", "STATE": "PUBLIC", "TITLE": "SQL Injection in glpi"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "glpi", "version": {"version_data": [{"version_value": "< 9.5.1"}]}}]}, "vendor_name": "glpi-project"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "In glpi before 9.5.1, there is a SQL injection for all usages of \"Clone\" feature. This has been fixed in 9.5.1."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}]}, "references": {"reference_data": [{"name": "https://github.com/glpi-project/glpi/security/advisories/GHSA-qv6w-68gq-wx2v", "refsource": "CONFIRM", "url": "https://github.com/glpi-project/glpi/security/advisories/GHSA-qv6w-68gq-wx2v"}, {"name": "https://github.com/glpi-project/glpi/pull/6684", "refsource": "MISC", "url": "https://github.com/glpi-project/glpi/pull/6684"}, {"name": "https://github.com/glpi-project/glpi/commit/a4baa64114eb92fd2adf6056a36e0582324414ba", "refsource": "MISC", "url": "https://github.com/glpi-project/glpi/commit/a4baa64114eb92fd2adf6056a36e0582324414ba"}]}, "source": {"advisory": "GHSA-qv6w-68gq-wx2v", "discovery": "UNKNOWN"}}}}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2020-15108", "datePublished": "2020-07-17T20:30:17", "dateReserved": "2020-06-25T00:00:00", "dateUpdated": "2020-07-17T20:30:17", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:glpi-project:glpi:*:*:*:*:*:*:*:*", "matchCriteriaId": "6AC6E700-75F2-4062-A8AD-AE72EAE047E0", "versionEndExcluding": "9.5.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "In glpi before 9.5.1, there is a SQL injection for all usages of \"Clone\" feature. This has been fixed in 9.5.1."}, {"lang": "es", "value": "En glpi versiones anteriores a 9.5.1, se presenta una inyecci\u00f3n SQL para todos los usos de la funcionalidad \"Clone\". Esto ha sido corregido en 9.5.1"}], "id": "CVE-2020-15108", "lastModified": "2020-07-22T15:38:33.420", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 4.2, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 4.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2020-07-17T21:15:12.780", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/glpi-project/glpi/commit/a4baa64114eb92fd2adf6056a36e0582324414ba"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/glpi-project/glpi/pull/6684"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/glpi-project/glpi/security/advisories/GHSA-qv6w-68gq-wx2v"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-89"}], "source": "security-advisories@github.com", "type": "Secondary"}]}