CVE-2020-5248 — Hard-coded Credentials in Glpi

CWE-798 — Hard-coded Credentials CWE-1391 — Use of Weak Credentials3 documents3 sources

Severity

5.3MEDIUMNVD

EPSS

2.8%

top 13.79%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Glpi-project Glpi

Timeline

PublishedMay 12

Description

GLPI before before version 9.4.6 has a vulnerability involving a default encryption key. GLPIKEY is public and is used on every instance. This means anyone can decrypt sensitive data stored using this key. It is possible to change the key before installing GLPI. But on existing instances, data must be reencrypted with the new key. Problem is we can not know which columns or rows in the database are using that; espcially from plugins. Changing the key without updating data would lend in bad passw…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages1 packages

▶NVDglpi-project/glpi< 9.4.6

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

CVE-2020-5248: GLPI before before version 9↗2020-05-12

▶

📐Framework References

CWE

Use of Weak Credentials↗

▶