| Vulnerability Name: | CVE-2022-24867 (CCN-225028) | ||||||||||||
| Assigned: | 2022-04-20 | ||||||||||||
| Published: | 2022-04-20 | ||||||||||||
| Updated: | 2022-05-03 | ||||||||||||
| Summary: | GLPI is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. When you pass the config to the javascript, some entries are filtered out. The variable ldap_pass is not filtered and when you look at the source code of the rendered page, we can see the password for the root dn. Users are advised to upgrade. There is no known workaround for this issue. | ||||||||||||
| CVSS v3 Severity: | 7.5 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) 6.5 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C)
6.5 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C)
| ||||||||||||
| CVSS v2 Severity: | 7.8 High (CVSS v2 Vector: AV:N/AC:L/Au:N/C:C/I:N/A:N)
| ||||||||||||
| Vulnerability Type: | CWE-522 | ||||||||||||
| Vulnerability Consequences: | Obtain Information | ||||||||||||
| References: | Source: MITRE Type: CNA CVE-2022-24867 Source: XF Type: UNKNOWN glpi-cve202224867-info-disc(225028) Source: MISC Type: Patch, Third Party Advisory https://github.com/glpi-project/glpi/commit/26f0a20810db11641afdcf671bac7a309acbb94e Source: CCN Type: GLPI GIT Repository LDAP password exposed on source code Source: CONFIRM Type: Third Party Advisory https://github.com/glpi-project/glpi/security/advisories/GHSA-4r49-52q9-5fgr Source: CCN Type: Mend Vulnerability Database CVE-2022-24867 | ||||||||||||
| Vulnerable Configuration: | Configuration 1: Configuration CCN 1:  Denotes that component is vulnerable | ||||||||||||
| BACK | |||||||||||||