cvelistv5 - cve-2024-43416

CVE-2024-43416 (GCVE-0-2024-43416)

Vulnerability from cvelistv5 – Published: 2024-11-18 16:27 – Updated: 2024-11-18 18:34

Summary

GLPI is a free asset and IT management software package. Starting in version 0.80 and prior to version 10.0.17, an unauthenticated user can use an application endpoint to check if an email address corresponds to a valid GLPI user. Version 10.0.17 fixes the issue.

Severity ?

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE

CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor

Assigner

GitHub_M

References

URL

Tags

	https://github.com/glpi-project/glpi/security/adv…	x_refsource_CONFIRM
	https://github.com/glpi-project/glpi/commit/9be14…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	glpi-project	glpi	Affected: >= 0.80, < 10.0.17

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:glpi-project:glpi:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "glpi",
            "vendor": "glpi-project",
            "versions": [
              {
                "lessThan": "10.0.17",
                "status": "affected",
                "version": "0.80",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-43416",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-11-18T18:33:19.270940Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-11-18T18:34:01.203Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "glpi",
          "vendor": "glpi-project",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 0.80, \u003c 10.0.17"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "GLPI is a free asset and IT management software package. Starting in version 0.80 and prior to version 10.0.17, an unauthenticated user can use an application endpoint to check if an email address corresponds to a valid GLPI user. Version 10.0.17 fixes the issue."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-200",
              "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-11-18T16:27:06.243Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/glpi-project/glpi/security/advisories/GHSA-j8gc-xpgr-2ww7",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/glpi-project/glpi/security/advisories/GHSA-j8gc-xpgr-2ww7"
        },
        {
          "name": "https://github.com/glpi-project/glpi/commit/9be1466053f829680db318f7e7e5880d2d789c6d",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/glpi-project/glpi/commit/9be1466053f829680db318f7e7e5880d2d789c6d"
        }
      ],
      "source": {
        "advisory": "GHSA-j8gc-xpgr-2ww7",
        "discovery": "UNKNOWN"
      },
      "title": "GLPI vulnerable to enumeration of users\u0027 email addresses by unauthenticated user"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2024-43416",
    "datePublished": "2024-11-18T16:27:06.243Z",
    "dateReserved": "2024-08-12T18:02:04.967Z",
    "dateUpdated": "2024-11-18T18:34:01.203Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:glpi-project:glpi:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"0.80\", \"versionEndExcluding\": \"10.0.17\", \"matchCriteriaId\": \"32ABC28B-4FBB-4935-84A6-099E9F11B796\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"GLPI is a free asset and IT management software package. Starting in version 0.80 and prior to version 10.0.17, an unauthenticated user can use an application endpoint to check if an email address corresponds to a valid GLPI user. Version 10.0.17 fixes the issue.\"}, {\"lang\": \"es\", \"value\": \"GLPI es un paquete de software gratuito de gesti\\u00f3n de activos y TI. A partir de la versi\\u00f3n 0.80 y antes de la versi\\u00f3n 10.0.17, un usuario no autenticado puede usar un endpoint de la aplicaci\\u00f3n para verificar si una direcci\\u00f3n de correo electr\\u00f3nico corresponde a un usuario v\\u00e1lido de GLPI. La versi\\u00f3n 10.0.17 soluciona el problema.\"}]",
      "id": "CVE-2024-43416",
      "lastModified": "2025-01-07T17:05:20.757",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\", \"baseScore\": 7.5, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 3.6}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\", \"baseScore\": 5.3, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 1.4}]}",
      "published": "2024-11-18T17:15:11.220",
      "references": "[{\"url\": \"https://github.com/glpi-project/glpi/commit/9be1466053f829680db318f7e7e5880d2d789c6d\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Patch\"]}, {\"url\": \"https://github.com/glpi-project/glpi/security/advisories/GHSA-j8gc-xpgr-2ww7\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Vendor Advisory\"]}]",
      "sourceIdentifier": "security-advisories@github.com",
      "vulnStatus": "Analyzed",
      "weaknesses": "[{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-200\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"NVD-CWE-noinfo\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-43416\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2024-11-18T17:15:11.220\",\"lastModified\":\"2025-01-07T17:05:20.757\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"GLPI is a free asset and IT management software package. Starting in version 0.80 and prior to version 10.0.17, an unauthenticated user can use an application endpoint to check if an email address corresponds to a valid GLPI user. Version 10.0.17 fixes the issue.\"},{\"lang\":\"es\",\"value\":\"GLPI es un paquete de software gratuito de gesti\u00f3n de activos y TI. A partir de la versi\u00f3n 0.80 y antes de la versi\u00f3n 10.0.17, un usuario no autenticado puede usar un endpoint de la aplicaci\u00f3n para verificar si una direcci\u00f3n de correo electr\u00f3nico corresponde a un usuario v\u00e1lido de GLPI. La versi\u00f3n 10.0.17 soluciona el problema.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-200\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-noinfo\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:glpi-project:glpi:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"0.80\",\"versionEndExcluding\":\"10.0.17\",\"matchCriteriaId\":\"32ABC28B-4FBB-4935-84A6-099E9F11B796\"}]}]}],\"references\":[{\"url\":\"https://github.com/glpi-project/glpi/commit/9be1466053f829680db318f7e7e5880d2d789c6d\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/glpi-project/glpi/security/advisories/GHSA-j8gc-xpgr-2ww7\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-43416\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-11-18T18:33:19.270940Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:glpi-project:glpi:*:*:*:*:*:*:*:*\"], \"vendor\": \"glpi-project\", \"product\": \"glpi\", \"versions\": [{\"status\": \"affected\", \"version\": \"0.80\", \"lessThan\": \"10.0.17\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unknown\"}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-11-18T18:33:57.082Z\"}}], \"cna\": {\"title\": \"GLPI vulnerable to enumeration of users\u0027 email addresses by unauthenticated user\", \"source\": {\"advisory\": \"GHSA-j8gc-xpgr-2ww7\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"glpi-project\", \"product\": \"glpi\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 0.80, \u003c 10.0.17\"}]}], \"references\": [{\"url\": \"https://github.com/glpi-project/glpi/security/advisories/GHSA-j8gc-xpgr-2ww7\", \"name\": \"https://github.com/glpi-project/glpi/security/advisories/GHSA-j8gc-xpgr-2ww7\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/glpi-project/glpi/commit/9be1466053f829680db318f7e7e5880d2d789c6d\", \"name\": \"https://github.com/glpi-project/glpi/commit/9be1466053f829680db318f7e7e5880d2d789c6d\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"GLPI is a free asset and IT management software package. Starting in version 0.80 and prior to version 10.0.17, an unauthenticated user can use an application endpoint to check if an email address corresponds to a valid GLPI user. Version 10.0.17 fixes the issue.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-200\", \"description\": \"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2024-11-18T16:27:06.243Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-43416\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-11-18T18:34:01.203Z\", \"dateReserved\": \"2024-08-12T18:02:04.967Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2024-11-18T16:27:06.243Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

CERTFR-2024-AVI-0996

Vulnerability from certfr_avis - Published: - Updated:

De multiples vulnérabilités ont été découvertes dans GLPI. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, une atteinte à la confidentialité des données et une injection de code indirecte à distance (XSS).

Solutions

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

Impacted products

	Vendor	Product	Description
	GLPI	GLPI	GLPI versions antérieures à 10.0.17

References

Title

Publication Time

Tags

Bulletin de sécurité GLPI GHSA-x8jv-fcwx-3x6m	2024-11-15	vendor-advisory
Bulletin de sécurité GLPI GHSA-8843-r3m7-gfqx	2024-11-15	vendor-advisory
Bulletin de sécurité GLPI GHSA-vvr8-chwj-9m4c	2024-11-15	vendor-advisory
Bulletin de sécurité GLPI GHSA-p633-wfj5-8x44	2024-11-15	vendor-advisory
Bulletin de sécurité GLPI GHSA-j73h-x6j3-m479	2024-11-15	vendor-advisory
Bulletin de sécurité GLPI GHSA-3j2f-3j4v-hppr	2024-11-15	vendor-advisory
Bulletin de sécurité GLPI GHSA-xwmx-mmrf-hqf9	2024-11-15	vendor-advisory
Bulletin de sécurité GLPI GHSA-hq9q-jfhp-qqgm	2024-11-15	vendor-advisory
Bulletin de sécurité GLPI GHSA-j8gc-xpgr-2ww7	2024-11-17	vendor-advisory
Bulletin de sécurité GLPI GHSA-67p8-v79j-jp86	2024-11-15	vendor-advisory
Bulletin de sécurité GLPI GHSA-474f-9vpp-xxq5	2024-11-15	vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "GLPI versions ant\u00e9rieures \u00e0 10.0.17",
      "product": {
        "name": "GLPI",
        "vendor": {
          "name": "GLPI",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": "",
  "content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
  "cves": [
    {
      "name": "CVE-2024-41678",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-41678"
    },
    {
      "name": "CVE-2024-45611",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-45611"
    },
    {
      "name": "CVE-2024-43416",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-43416"
    },
    {
      "name": "CVE-2024-43417",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-43417"
    },
    {
      "name": "CVE-2024-41679",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-41679"
    },
    {
      "name": "CVE-2024-45609",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-45609"
    },
    {
      "name": "CVE-2024-40638",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-40638"
    },
    {
      "name": "CVE-2024-45610",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-45610"
    },
    {
      "name": "CVE-2024-43418",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-43418"
    },
    {
      "name": "CVE-2024-45608",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-45608"
    },
    {
      "name": "CVE-2024-47759",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-47759"
    }
  ],
  "links": [],
  "reference": "CERTFR-2024-AVI-0996",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2024-11-18T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Injection de code indirecte \u00e0 distance (XSS)"
    },
    {
      "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
    },
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans GLPI. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire \u00e0 distance, une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es et une injection de code indirecte \u00e0 distance (XSS).",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans GLPI",
  "vendor_advisories": [
    {
      "published_at": "2024-11-15",
      "title": "Bulletin de s\u00e9curit\u00e9 GLPI GHSA-x8jv-fcwx-3x6m",
      "url": "https://github.com/glpi-project/glpi/security/advisories/GHSA-x8jv-fcwx-3x6m"
    },
    {
      "published_at": "2024-11-15",
      "title": "Bulletin de s\u00e9curit\u00e9 GLPI GHSA-8843-r3m7-gfqx",
      "url": "https://github.com/glpi-project/glpi/security/advisories/GHSA-8843-r3m7-gfqx"
    },
    {
      "published_at": "2024-11-15",
      "title": "Bulletin de s\u00e9curit\u00e9 GLPI GHSA-vvr8-chwj-9m4c",
      "url": "https://github.com/glpi-project/glpi/security/advisories/GHSA-vvr8-chwj-9m4c"
    },
    {
      "published_at": "2024-11-15",
      "title": "Bulletin de s\u00e9curit\u00e9 GLPI GHSA-p633-wfj5-8x44",
      "url": "https://github.com/glpi-project/glpi/security/advisories/GHSA-p633-wfj5-8x44"
    },
    {
      "published_at": "2024-11-15",
      "title": "Bulletin de s\u00e9curit\u00e9 GLPI GHSA-j73h-x6j3-m479",
      "url": "https://github.com/glpi-project/glpi/security/advisories/GHSA-j73h-x6j3-m479"
    },
    {
      "published_at": "2024-11-15",
      "title": "Bulletin de s\u00e9curit\u00e9 GLPI GHSA-3j2f-3j4v-hppr",
      "url": "https://github.com/glpi-project/glpi/security/advisories/GHSA-3j2f-3j4v-hppr"
    },
    {
      "published_at": "2024-11-15",
      "title": "Bulletin de s\u00e9curit\u00e9 GLPI GHSA-xwmx-mmrf-hqf9",
      "url": "https://github.com/glpi-project/glpi/security/advisories/GHSA-xwmx-mmrf-hqf9"
    },
    {
      "published_at": "2024-11-15",
      "title": "Bulletin de s\u00e9curit\u00e9 GLPI GHSA-hq9q-jfhp-qqgm",
      "url": "https://github.com/glpi-project/glpi/security/advisories/GHSA-hq9q-jfhp-qqgm"
    },
    {
      "published_at": "2024-11-17",
      "title": "Bulletin de s\u00e9curit\u00e9 GLPI GHSA-j8gc-xpgr-2ww7",
      "url": "https://github.com/glpi-project/glpi/security/advisories/GHSA-j8gc-xpgr-2ww7"
    },
    {
      "published_at": "2024-11-15",
      "title": "Bulletin de s\u00e9curit\u00e9 GLPI GHSA-67p8-v79j-jp86",
      "url": "https://github.com/glpi-project/glpi/security/advisories/GHSA-67p8-v79j-jp86"
    },
    {
      "published_at": "2024-11-15",
      "title": "Bulletin de s\u00e9curit\u00e9 GLPI GHSA-474f-9vpp-xxq5",
      "url": "https://github.com/glpi-project/glpi/security/advisories/GHSA-474f-9vpp-xxq5"
    }
  ]
}

CERTFR-2024-AVI-0996

Vulnerability from certfr_avis - Published: - Updated:

Solutions

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

Impacted products

	Vendor	Product	Description
	GLPI	GLPI	GLPI versions antérieures à 10.0.17

References

Title

Publication Time

Tags

Bulletin de sécurité GLPI GHSA-x8jv-fcwx-3x6m	2024-11-15	vendor-advisory
Bulletin de sécurité GLPI GHSA-8843-r3m7-gfqx	2024-11-15	vendor-advisory
Bulletin de sécurité GLPI GHSA-vvr8-chwj-9m4c	2024-11-15	vendor-advisory
Bulletin de sécurité GLPI GHSA-p633-wfj5-8x44	2024-11-15	vendor-advisory
Bulletin de sécurité GLPI GHSA-j73h-x6j3-m479	2024-11-15	vendor-advisory
Bulletin de sécurité GLPI GHSA-3j2f-3j4v-hppr	2024-11-15	vendor-advisory
Bulletin de sécurité GLPI GHSA-xwmx-mmrf-hqf9	2024-11-15	vendor-advisory
Bulletin de sécurité GLPI GHSA-hq9q-jfhp-qqgm	2024-11-15	vendor-advisory
Bulletin de sécurité GLPI GHSA-j8gc-xpgr-2ww7	2024-11-17	vendor-advisory
Bulletin de sécurité GLPI GHSA-67p8-v79j-jp86	2024-11-15	vendor-advisory
Bulletin de sécurité GLPI GHSA-474f-9vpp-xxq5	2024-11-15	vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "GLPI versions ant\u00e9rieures \u00e0 10.0.17",
      "product": {
        "name": "GLPI",
        "vendor": {
          "name": "GLPI",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": "",
  "content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
  "cves": [
    {
      "name": "CVE-2024-41678",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-41678"
    },
    {
      "name": "CVE-2024-45611",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-45611"
    },
    {
      "name": "CVE-2024-43416",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-43416"
    },
    {
      "name": "CVE-2024-43417",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-43417"
    },
    {
      "name": "CVE-2024-41679",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-41679"
    },
    {
      "name": "CVE-2024-45609",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-45609"
    },
    {
      "name": "CVE-2024-40638",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-40638"
    },
    {
      "name": "CVE-2024-45610",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-45610"
    },
    {
      "name": "CVE-2024-43418",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-43418"
    },
    {
      "name": "CVE-2024-45608",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-45608"
    },
    {
      "name": "CVE-2024-47759",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-47759"
    }
  ],
  "links": [],
  "reference": "CERTFR-2024-AVI-0996",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2024-11-18T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Injection de code indirecte \u00e0 distance (XSS)"
    },
    {
      "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
    },
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans GLPI. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire \u00e0 distance, une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es et une injection de code indirecte \u00e0 distance (XSS).",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans GLPI",
  "vendor_advisories": [
    {
      "published_at": "2024-11-15",
      "title": "Bulletin de s\u00e9curit\u00e9 GLPI GHSA-x8jv-fcwx-3x6m",
      "url": "https://github.com/glpi-project/glpi/security/advisories/GHSA-x8jv-fcwx-3x6m"
    },
    {
      "published_at": "2024-11-15",
      "title": "Bulletin de s\u00e9curit\u00e9 GLPI GHSA-8843-r3m7-gfqx",
      "url": "https://github.com/glpi-project/glpi/security/advisories/GHSA-8843-r3m7-gfqx"
    },
    {
      "published_at": "2024-11-15",
      "title": "Bulletin de s\u00e9curit\u00e9 GLPI GHSA-vvr8-chwj-9m4c",
      "url": "https://github.com/glpi-project/glpi/security/advisories/GHSA-vvr8-chwj-9m4c"
    },
    {
      "published_at": "2024-11-15",
      "title": "Bulletin de s\u00e9curit\u00e9 GLPI GHSA-p633-wfj5-8x44",
      "url": "https://github.com/glpi-project/glpi/security/advisories/GHSA-p633-wfj5-8x44"
    },
    {
      "published_at": "2024-11-15",
      "title": "Bulletin de s\u00e9curit\u00e9 GLPI GHSA-j73h-x6j3-m479",
      "url": "https://github.com/glpi-project/glpi/security/advisories/GHSA-j73h-x6j3-m479"
    },
    {
      "published_at": "2024-11-15",
      "title": "Bulletin de s\u00e9curit\u00e9 GLPI GHSA-3j2f-3j4v-hppr",
      "url": "https://github.com/glpi-project/glpi/security/advisories/GHSA-3j2f-3j4v-hppr"
    },
    {
      "published_at": "2024-11-15",
      "title": "Bulletin de s\u00e9curit\u00e9 GLPI GHSA-xwmx-mmrf-hqf9",
      "url": "https://github.com/glpi-project/glpi/security/advisories/GHSA-xwmx-mmrf-hqf9"
    },
    {
      "published_at": "2024-11-15",
      "title": "Bulletin de s\u00e9curit\u00e9 GLPI GHSA-hq9q-jfhp-qqgm",
      "url": "https://github.com/glpi-project/glpi/security/advisories/GHSA-hq9q-jfhp-qqgm"
    },
    {
      "published_at": "2024-11-17",
      "title": "Bulletin de s\u00e9curit\u00e9 GLPI GHSA-j8gc-xpgr-2ww7",
      "url": "https://github.com/glpi-project/glpi/security/advisories/GHSA-j8gc-xpgr-2ww7"
    },
    {
      "published_at": "2024-11-15",
      "title": "Bulletin de s\u00e9curit\u00e9 GLPI GHSA-67p8-v79j-jp86",
      "url": "https://github.com/glpi-project/glpi/security/advisories/GHSA-67p8-v79j-jp86"
    },
    {
      "published_at": "2024-11-15",
      "title": "Bulletin de s\u00e9curit\u00e9 GLPI GHSA-474f-9vpp-xxq5",
      "url": "https://github.com/glpi-project/glpi/security/advisories/GHSA-474f-9vpp-xxq5"
    }
  ]
}

FKIE_CVE-2024-43416

Vulnerability from fkie_nvd - Published: 2024-11-18 17:15 - Updated: 2025-01-07 17:05

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/glpi-project/glpi/commit/9be1466053f829680db318f7e7e5880d2d789c6d	Patch
	security-advisories@github.com	https://github.com/glpi-project/glpi/security/advisories/GHSA-j8gc-xpgr-2ww7	Vendor Advisory

Impacted products

	Vendor	Product	Version
	glpi-project	glpi	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:glpi-project:glpi:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "32ABC28B-4FBB-4935-84A6-099E9F11B796",
              "versionEndExcluding": "10.0.17",
              "versionStartIncluding": "0.80",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "GLPI is a free asset and IT management software package. Starting in version 0.80 and prior to version 10.0.17, an unauthenticated user can use an application endpoint to check if an email address corresponds to a valid GLPI user. Version 10.0.17 fixes the issue."
    },
    {
      "lang": "es",
      "value": "GLPI es un paquete de software gratuito de gesti\u00f3n de activos y TI. A partir de la versi\u00f3n 0.80 y antes de la versi\u00f3n 10.0.17, un usuario no autenticado puede usar un endpoint de la aplicaci\u00f3n para verificar si una direcci\u00f3n de correo electr\u00f3nico corresponde a un usuario v\u00e1lido de GLPI. La versi\u00f3n 10.0.17 soluciona el problema."
    }
  ],
  "id": "CVE-2024-43416",
  "lastModified": "2025-01-07T17:05:20.757",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 1.4,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2024-11-18T17:15:11.220",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/glpi-project/glpi/commit/9be1466053f829680db318f7e7e5880d2d789c6d"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://github.com/glpi-project/glpi/security/advisories/GHSA-j8gc-xpgr-2ww7"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-200"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "NVD-CWE-noinfo"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2024-43416 (GCVE-0-2024-43416)

CERTFR-2024-AVI-0996

Solutions

CERTFR-2024-AVI-0996

Solutions

FKIE_CVE-2024-43416

Tags

Sightings

Nomenclature