CVE-2022-24867 — Sensitive Information Exposure in Glpi

CWE-200 — Sensitive Information Exposure CWE-522 — Insufficiently Protected Credentials CWE-540 — Inclusion of Sensitive Information in Source Code2 documents2 sources

Severity

7.5HIGHNVD

EPSS

0.4%

top 41.79%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Glpi-project Glpi

Timeline

PublishedApr 21

Description

GLPI is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. When you pass the config to the javascript, some entries are filtered out. The variable ldap_pass is not filtered and when you look at the source code of the rendered page, we can see the password for the root dn. Users are advised to upgrade. There is no known workaround for this issue.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages1 packages

▶NVDglpi-project/glpi< 10.0.0

Patches

Patch: github.com ↗Patch: github.com ↗

📐Framework References

CWE

Inclusion of Sensitive Information in Source Code↗

▶