CVE-2023-34254
CVSS V2 None
CVSS V3 None
Description
The GLPI Agent is a generic management agent. Prior to version 1.5, if glpi-agent is running remoteinventory task against an Unix platform with ssh command, an administrator user on the remote can manage to inject a command in a specific workflow the agent would run with the privileges it uses. In the case, the agent is running with administration privileges, a malicious user could gain high privileges on the computer glpi-agent is running on. A malicious user could also disclose all remote accesses the agent is configured with for remoteinventory task. This vulnerability has been patched in glpi-agent 1.5.
Overview
- CVE ID
- CVE-2023-34254
- Assigner
- GitHub_M
- Vulnerability Status
- PUBLISHED
- Published Version
- 2023-06-23T20:19:03.534Z
- Last Modified Date
- 2023-06-23T20:19:03.534Z
Weakness Enumerations
References
Reference URL | Reference Tags |
---|---|
https://github.com/glpi-project/glpi-agent/security/advisories/GHSA-39vc-hxgm-j465 | x_refsource_CONFIRM |
https://github.com/glpi-project/glpi-agent/blob/dd313ee0914becf74c0e48cb512765210043b478/Changes#L98 | x_refsource_MISC |
Sources
Source Name | Source URL |
---|---|
NIST | https://nvd.nist.gov/vuln/detail/CVE-2023-34254 |
MITRE | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-34254 |
History
Created | Old Value | New Value | Data Type | Notes |
---|---|---|---|---|
2024-06-25 20:45:23 | Added to TrackCVE |