GLPI is a free asset and IT management software package. Prior to version 9.5.7, an entity administrator is capable of retrieving normally inaccessible data via SQL injection. Version 9.5.7 contains a patch for this issue. As a workaround, disabling the `Entities` update right prevents exploitation of this vulnerability.
References
Link | Resource |
---|---|
https://github.com/glpi-project/glpi/commit/5c3eee696b503fdf502f506b00d15cf5b324b326 | Patch Third Party Advisory |
https://github.com/glpi-project/glpi/releases/tag/9.5.7 | Release Notes Third Party Advisory |
https://github.com/glpi-project/glpi/security/advisories/GHSA-5hg4-r64r-rf83 | Mitigation Third Party Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: GitHub_M
Published: 2022-01-28T10:15:14
Updated: 2022-01-28T10:15:14
Reserved: 2021-11-16T00:00:00
Link: CVE-2022-21720
JSON object: View
NVD Information
Status : Analyzed
Published: 2022-01-28T11:15:08.223
Modified: 2022-02-02T17:50:22.327
Link: CVE-2022-21720
JSON object: View
Redhat Information
No data.
CWE