CVE-2020-11035 — Use of a Broken or Risky Cryptographic Algorithm in Glpi

CWE-327 — Use of a Broken or Risky Cryptographic Algorithm5 documents3 sources

Severity

9.3CRITICALNVD

EPSS

0.2%

top 52.26%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Glpi-project Glpi Fedoraproject Fedora

Timeline

PublishedMay 5

Latest updateMay 11

Description

In GLPI after version 0.83.3 and before version 9.4.6, the CSRF tokens are generated using an insecure algorithm. The implementation uses rand and uniqid and MD5 which does not provide secure values. This is fixed in version 9.4.6.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:NExploitability: 3.9 | Impact: 4.7

Affected Packages2 packages

▶NVDglpi-project/glpi0.83.3 — 9.4.6

▶CVEListV5glpi-project/glpi> 0.83.3, < 9.4.6

Also affects: Fedora 31, 32

🔴Vulnerability Details

OSV

CVE-2020-11035: In GLPI after version 0↗2020-05-05

▶

💬Community

Bugzilla

CVE-2020-11035 glpi: CSRF tokens are generated using an insecure algorithm [epel-7]↗2020-05-11

▶

Bugzilla

CVE-2020-11035 glpi: CSRF tokens are generated using an insecure algorithm↗2020-05-11

▶

Bugzilla

CVE-2020-11035 glpi: CSRF tokens are generated using an insecure algorithm [fedora-all]↗2020-05-11

▶