CVE-2023-23610 - OpenCVE

GLPI is a Free Asset and IT Management Software package. Versions prior to 9.5.12 and 10.0.6 are vulnerable to Improper Privilege Management. Any user having access to the standard interface can export data of almost any GLPI item type, even those on which user is not allowed to access (including assets, tickets, users, ...). This issue is patched in 10.0.6.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Glpi-project	Glpi

Configuration 1 [-]

OR	cpe:2.3:a:glpi-project:glpi::::::::
	cpe:2.3:a:glpi-project:glpi::::::::

No data.

References

Link	Providers
https://github.com/glpi-project/glpi/security/advisories/GHSA-6565-hm87-24hf

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2023-01-25T05:46:35.549Z

Updated: 2024-08-02T10:35:33.548Z

Reserved: 2023-01-16T17:07:46.242Z

Link: CVE-2023-23610

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2023-01-26T21:18:14.223

Modified: 2023-02-02T18:33:18.300

Link: CVE-2023-23610

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-23610", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-01-16T17:07:46.242Z", "datePublished": "2023-01-25T05:46:35.549Z", "dateUpdated": "2024-08-02T10:35:33.548Z"}, "containers": {"cna": {"title": "glpi vulnerable to Unauthorized access to data export", "problemTypes": [{"descriptions": [{"cweId": "CWE-269", "lang": "en", "description": "CWE-269: Improper Privilege Management", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/glpi-project/glpi/security/advisories/GHSA-6565-hm87-24hf", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/glpi-project/glpi/security/advisories/GHSA-6565-hm87-24hf"}], "affected": [{"vendor": "glpi-project", "product": "glpi", "versions": [{"version": ">= 0.65, < 9.5.12", "status": "affected"}, {"version": ">= 10.0.0, < 10.0.6", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-01-25T05:46:35.549Z"}, "descriptions": [{"lang": "en", "value": "GLPI is a Free Asset and IT Management Software package. Versions prior to 9.5.12 and 10.0.6 are vulnerable to Improper Privilege Management. Any user having access to the standard interface can export data of almost any GLPI item type, even those on which user is not allowed to access (including assets, tickets, users, ...). This issue is patched in 10.0.6."}], "source": {"advisory": "GHSA-6565-hm87-24hf", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T10:35:33.548Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/glpi-project/glpi/security/advisories/GHSA-6565-hm87-24hf", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/glpi-project/glpi/security/advisories/GHSA-6565-hm87-24hf"}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:glpi-project:glpi:*:*:*:*:*:*:*:*", "matchCriteriaId": "E4FD5B9D-8A8D-470C-9E6B-67DC8EAB2622", "versionEndExcluding": "9.5.12", "versionStartIncluding": "0.65", "vulnerable": true}, {"criteria": "cpe:2.3:a:glpi-project:glpi:*:*:*:*:*:*:*:*", "matchCriteriaId": "B025E2D5-B467-460F-A5B0-053D46B581E6", "versionEndExcluding": "10.0.6", "versionStartIncluding": "10.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "GLPI is a Free Asset and IT Management Software package. Versions prior to 9.5.12 and 10.0.6 are vulnerable to Improper Privilege Management. Any user having access to the standard interface can export data of almost any GLPI item type, even those on which user is not allowed to access (including assets, tickets, users, ...). This issue is patched in 10.0.6."}, {"lang": "es", "value": "GLPI es un paquete gratuito de software de gesti\u00f3n de TI y activos. Las versiones anteriores a 9.5.12 y 10.0.6 son vulnerables a una gesti\u00f3n de privilegios inadecuada. Cualquier usuario que tenga acceso a la interfaz est\u00e1ndar puede exportar datos de casi cualquier tipo de elemento GLPI, incluso aquellos a los que el usuario no tiene acceso (incluidos activos, tickets, usuarios,...). Este problema se solucion\u00f3 en 10.0.6."}], "id": "CVE-2023-23610", "lastModified": "2023-02-02T18:33:18.300", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2023-01-26T21:18:14.223", "references": [{"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/glpi-project/glpi/security/advisories/GHSA-6565-hm87-24hf"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-732"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-269"}], "source": "security-advisories@github.com", "type": "Secondary"}]}