CVE-2023-34254

Published: Jun 23, 2023Modified: Nov 21, 2024

7.2

Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Exploitability: 1.2 / Impact: 5.9

Source: NVD

Description

The GLPI Agent is a generic management agent. Prior to version 1.5, if glpi-agent is running remoteinventory task against an Unix platform with ssh command, an administrator user on the remote can manage to inject a command in a specific workflow the agent would run with the privileges it uses. In the case, the agent is running with administration privileges, a malicious user could gain high privileges on the computer glpi-agent is running on. A malicious user could also disclose all remote accesses the agent is configured with for remoteinventory task. This vulnerability has been patched in glpi-agent 1.5.

Affected (1)

Products: Glpi Project: Glpi Agent

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Glpi Project Glpi Agent	Before 1.5

Related CWEs

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

References (4)

https://github.com/glpi-project/glpi-agent/blob/dd313ee0914becf74c0e48cb512765210043b478/Changes#L98

Source: security-advisories@github.com

Patch

https://github.com/glpi-project/glpi-agent/security/advisories/GHSA-39vc-hxgm-j465

Source: security-advisories@github.com

MitigationVendor Advisory

https://github.com/glpi-project/glpi-agent/blob/dd313ee0914becf74c0e48cb512765210043b478/Changes#L98

Source: af854a3a-2127-422b-91ae-364da2661108

Patch

https://github.com/glpi-project/glpi-agent/security/advisories/GHSA-39vc-hxgm-j465

Source: af854a3a-2127-422b-91ae-364da2661108

MitigationVendor Advisory

Timeline

No history available yet.