CVE-2020-11031 — Use of a Broken or Risky Cryptographic Algorithm in Glpi

CWE-327 — Use of a Broken or Risky Cryptographic Algorithm5 documents3 sources

Severity

7.5HIGHNVD

EPSS

0.1%

top 82.73%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Glpi-project Glpi

Timeline

PublishedSep 23

Description

In GLPI before version 9.5.0, the encryption algorithm used is insecure. The security of the data encrypted relies on the password used, if a user sets a weak/predictable password, an attacker could decrypt data. This is fixed in version 9.5.0 by using a more secure encryption library. The library chosen is sodium.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages1 packages

▶NVDglpi-project/glpi< 9.5.0

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

CVE-2020-11031: In GLPI before version 9↗2020-09-23

▶

💬Community

Bugzilla

CVE-2020-11031 glpi: encryption algorithm used is insecure [epel-7]↗2020-09-23

▶

Bugzilla

CVE-2020-11031 glpi: encryption algorithm used is insecure [fedora-all]↗2020-09-23

▶

Bugzilla

CVE-2020-11031 glpi: encryption algorithm used is insecure↗2020-09-23

▶