CVE-2024-53850 (GCVE-0-2024-53850)

Vulnerability from cvelistv5 – Published: 2024-12-26 21:41 – Updated: 2024-12-27 16:18
VLAI?
Title
The Addressing GLPI plugin allows data enumeration through uncontrolled object instantiation
Summary
The Addressing GLPI plugin enables you to create IP reports for visualize IP addresses used and free on a given network.. Starting with 3.0.0 and before 3.0.3, a poor security check allows an unauthenticated attacker to determine whether data exists (by name) in GLPI.
Severity ?
8.2 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L
CWE
  • CWE-470 - Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')
Assigner
References
Impacted products
Vendor Product Version
pluginsGLPI addressing Affected: >= 3.0.0 < 3.0.3
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-53850",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-12-27T16:18:33.280505Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-12-27T16:18:41.207Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "addressing",
          "vendor": "pluginsGLPI",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 3.0.0 \u003c 3.0.3"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The Addressing GLPI plugin enables you to create IP reports for visualize IP addresses used and free on a given network.. Starting with 3.0.0 and before 3.0.3, a poor security check allows an unauthenticated attacker to determine whether data exists (by name) in GLPI."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 8.2,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-470",
              "description": "CWE-470: Use of Externally-Controlled Input to Select Classes or Code (\u0027Unsafe Reflection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-12-26T21:41:55.270Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/pluginsGLPI/addressing/security/advisories/GHSA-fw42-79gw-7qr9",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/pluginsGLPI/addressing/security/advisories/GHSA-fw42-79gw-7qr9"
        },
        {
          "name": "https://github.com/pluginsGLPI/addressing/commit/b334187a99206abbd7d0bc84f720b0a6e69e92f0",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/pluginsGLPI/addressing/commit/b334187a99206abbd7d0bc84f720b0a6e69e92f0"
        }
      ],
      "source": {
        "advisory": "GHSA-fw42-79gw-7qr9",
        "discovery": "UNKNOWN"
      },
      "title": "The Addressing GLPI plugin allows data enumeration through uncontrolled object instantiation"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2024-53850",
    "datePublished": "2024-12-26T21:41:55.270Z",
    "dateReserved": "2024-11-22T17:30:02.140Z",
    "dateUpdated": "2024-12-27T16:18:41.207Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "descriptions": "[{\"lang\": \"en\", \"value\": \"The Addressing GLPI plugin enables you to create IP reports for visualize IP addresses used and free on a given network.. Starting with 3.0.0 and before 3.0.3, a poor security check allows an unauthenticated attacker to determine whether data exists (by name) in GLPI.\"}, {\"lang\": \"es\", \"value\": \"El complemento Addressing GLPI le permite crear informes de IP para visualizar direcciones IP utilizadas y libres en una red determinada. A partir de la versi\\u00f3n 3.0.0 y antes de la 3.0.3, una verificaci\\u00f3n de seguridad deficiente permite que un atacante no autenticado determine si existen datos (por nombre) en GLPI.\"}]",
      "id": "CVE-2024-53850",
      "lastModified": "2024-12-26T22:15:16.373",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L\", \"baseScore\": 8.2, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"LOW\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 4.2}]}",
      "published": "2024-12-26T22:15:16.373",
      "references": "[{\"url\": \"https://github.com/pluginsGLPI/addressing/commit/b334187a99206abbd7d0bc84f720b0a6e69e92f0\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://github.com/pluginsGLPI/addressing/security/advisories/GHSA-fw42-79gw-7qr9\", \"source\": \"security-advisories@github.com\"}]",
      "sourceIdentifier": "security-advisories@github.com",
      "vulnStatus": "Awaiting Analysis",
      "weaknesses": "[{\"source\": \"security-advisories@github.com\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-470\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-53850\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2024-12-26T22:15:16.373\",\"lastModified\":\"2024-12-26T22:15:16.373\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The Addressing GLPI plugin enables you to create IP reports for visualize IP addresses used and free on a given network.. Starting with 3.0.0 and before 3.0.3, a poor security check allows an unauthenticated attacker to determine whether data exists (by name) in GLPI.\"},{\"lang\":\"es\",\"value\":\"El complemento Addressing GLPI le permite crear informes de IP para visualizar direcciones IP utilizadas y libres en una red determinada. A partir de la versi\u00f3n 3.0.0 y antes de la 3.0.3, una verificaci\u00f3n de seguridad deficiente permite que un atacante no autenticado determine si existen datos (por nombre) en GLPI.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L\",\"baseScore\":8.2,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":3.9,\"impactScore\":4.2}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-470\"}]}],\"references\":[{\"url\":\"https://github.com/pluginsGLPI/addressing/commit/b334187a99206abbd7d0bc84f720b0a6e69e92f0\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/pluginsGLPI/addressing/security/advisories/GHSA-fw42-79gw-7qr9\",\"source\":\"security-advisories@github.com\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-53850\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-12-27T16:18:33.280505Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-12-27T16:18:37.314Z\"}}], \"cna\": {\"title\": \"The Addressing GLPI plugin allows data enumeration through uncontrolled object instantiation\", \"source\": {\"advisory\": \"GHSA-fw42-79gw-7qr9\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 8.2, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"LOW\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"pluginsGLPI\", \"product\": \"addressing\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 3.0.0 \u003c 3.0.3\"}]}], \"references\": [{\"url\": \"https://github.com/pluginsGLPI/addressing/security/advisories/GHSA-fw42-79gw-7qr9\", \"name\": \"https://github.com/pluginsGLPI/addressing/security/advisories/GHSA-fw42-79gw-7qr9\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/pluginsGLPI/addressing/commit/b334187a99206abbd7d0bc84f720b0a6e69e92f0\", \"name\": \"https://github.com/pluginsGLPI/addressing/commit/b334187a99206abbd7d0bc84f720b0a6e69e92f0\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"The Addressing GLPI plugin enables you to create IP reports for visualize IP addresses used and free on a given network.. Starting with 3.0.0 and before 3.0.3, a poor security check allows an unauthenticated attacker to determine whether data exists (by name) in GLPI.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-470\", \"description\": \"CWE-470: Use of Externally-Controlled Input to Select Classes or Code (\u0027Unsafe Reflection\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2024-12-26T21:41:55.270Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-53850\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-12-27T16:18:41.207Z\", \"dateReserved\": \"2024-11-22T17:30:02.140Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2024-12-26T21:41:55.270Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.