Lucene search

Ubuntu.comUB:CVE-2020-15176

HistoryOct 07, 2020 - 12:00 a.m.

CVE-2020-15176

2020-10-0700:00:00

ubuntu.com

glpi

sql injection

patched vulnerability

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS3

8.7

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N

EPSS

0.001

Percentile

44.4%

JSON

In GLPI before version 9.5.2, when supplying a back tick in input that gets
put into a SQL query,the application does not escape or sanitize allowing
for SQL Injection to occur. Leveraging this vulnerability an attacker is
able to exfiltrate sensitive information like passwords, reset tokens,
personal details, and more. The issue is patched in version 9.5.2

References

github.com/glpi-project/glpi/commit/f021f1f365b4acea5066d3e57c6d22658cf32575

launchpad.net/bugs/cve/CVE-2020-15176

nvd.nist.gov/vuln/detail/CVE-2020-15176

security-tracker.debian.org/tracker/CVE-2020-15176

www.cve.org/CVERecord?id=CVE-2020-15176

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS3

8.7

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N

EPSS

0.001

Percentile

44.4%

JSON

Related for UB:CVE-2020-15176