CVE-2018-7562Race Condition in Glpi

CWE-362Race ConditionCWE-434Unrestricted File Upload6 documents4 sources
Severity
7.5HIGHNVD
EPSS
1.0%
top 22.50%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Glpi-project Glpi
Timeline
PublishedMar 12
Latest updateMay 14

Description

A remote code execution issue was discovered in GLPI through 9.2.1. There is a race condition that allows temporary access to an uploaded executable file that will be disallowed. The application allows an authenticated user to upload a file when he/she creates a new ticket via front/fileupload.php. This feature is protected using different types of security features like the check on the file's extension. However, the application uploads and creates a file, though this file is not allowed, and t

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.6 | Impact: 5.9

Affected Packages1 packages

🔴Vulnerability Details

2
GHSA
GHSA-m6v3-mvq4-j684: A remote code execution issue was discovered in GLPI through 92022-05-14
OSV
CVE-2018-7562: A remote code execution issue was discovered in GLPI through 92018-03-12

💬Community

3
Bugzilla
CVE-2018-7563 glpi: various flaws [fedora-all]2018-03-13
Bugzilla
CVE-2018-7563 glpi: various flaws [epel-7]2018-03-13
Bugzilla
CVE-2018-7562 glpi: Race condition allowing temporary access to an uploaded executable file leading to code execution2018-03-13