CVE-2022-24867

Source
https://nvd.nist.gov/vuln/detail/CVE-2022-24867
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-24867.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2022-24867
Related
  • GHSA-4r49-52q9-5fgr
Published
2022-04-21T17:15:08Z
Modified
2025-01-08T14:11:08.518122Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
[none]
Details

GLPI is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. When you pass the config to the javascript, some entries are filtered out. The variable ldap_pass is not filtered and when you look at the source code of the rendered page, we can see the password for the root dn. Users are advised to upgrade. There is no known workaround for this issue.

References

Affected packages

Git / github.com/glpi-project/glpi

Affected ranges

Type
GIT
Repo
https://github.com/glpi-project/glpi
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Fixed

Affected versions

0.*

0.90
0.90-RC1
0.90-RC2
0.90-beta1
0.90-beta2
0.90.1

10.*

10.0.0-beta
10.0.0-rc1
10.0.0-rc2
10.0.0-rc3

9.*

9.1
9.1-RC1
9.1-RC2
9.3-beta
9.4.0
9.4.0-beta
9.4.0-rc1
9.4.0-rc2
9.4.1
9.4.1.1
9.4.2
9.4.3
9.4.4
9.4.5
9.4.6
9.5.0
9.5.0-rc1
9.5.0-rc2
9.5.1
9.5.2
9.5.3
9.5.4
9.5.5
9.5.6
9.5.7