CVE-2024-27098 - OpenCVE

GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. An authenticated user can execute a SSRF based attack using Arbitrary Object Instantiation. This issue has been patched in version 10.0.13.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

No data.

No data.

References

Link	Resource
https://github.com/glpi-project/glpi/commit/3b6bc1b4aa1f3693b20ada3425d2de5108522484
https://github.com/glpi-project/glpi/releases/tag/10.0.13
https://github.com/glpi-project/glpi/security/advisories/GHSA-92x4-q9w5-837w

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-03-18T16:14:18.894Z

Updated: 2024-06-04T17:47:14.574Z

Reserved: 2024-02-19T14:43:05.993Z

Link: CVE-2024-27098

JSON object: View

NVD Information

Status : Awaiting Analysis

Published: 2024-03-18T17:15:06.593

Modified: 2024-03-18T19:40:00.173

Link: CVE-2024-27098

JSON object: View

Redhat Information

No data.

CWE

CWE-918

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-27098", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-02-19T14:43:05.993Z", "datePublished": "2024-03-18T16:14:18.894Z", "dateUpdated": "2024-06-04T17:47:14.574Z"}, "containers": {"cna": {"title": "Blind Server-Side Request Forgery (SSRF) using Arbitrary Object Instantiation in GLPI", "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "lang": "en", "description": "CWE-918: Server-Side Request Forgery (SSRF)", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/glpi-project/glpi/security/advisories/GHSA-92x4-q9w5-837w", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/glpi-project/glpi/security/advisories/GHSA-92x4-q9w5-837w"}, {"name": "https://github.com/glpi-project/glpi/commit/3b6bc1b4aa1f3693b20ada3425d2de5108522484", "tags": ["x_refsource_MISC"], "url": "https://github.com/glpi-project/glpi/commit/3b6bc1b4aa1f3693b20ada3425d2de5108522484"}, {"name": "https://github.com/glpi-project/glpi/releases/tag/10.0.13", "tags": ["x_refsource_MISC"], "url": "https://github.com/glpi-project/glpi/releases/tag/10.0.13"}], "affected": [{"vendor": "glpi-project", "product": "glpi", "versions": [{"version": ">= 9.5.0, < 10.0.13", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-03-18T16:14:18.894Z"}, "descriptions": [{"lang": "en", "value": "GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. An authenticated user can execute a SSRF based attack using Arbitrary Object Instantiation. This issue has been patched in version 10.0.13."}], "source": {"advisory": "GHSA-92x4-q9w5-837w", "discovery": "UNKNOWN"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-27098", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-03-19T15:47:43.513847Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T17:47:14.574Z"}}]}}