CVE-2023-51446

Published: 1 February 2024

GLPI is a Free Asset and IT Management Software package. When authentication is made against a LDAP, the authentication form can be used to perform LDAP injection. Upgrade to 10.0.12.

Priority

Cvss 3 Severity Score

8.1

Score breakdown

Status

Package	Release	Status
glpi Launchpad, Ubuntu, Debian	bionic	Does not exist
	focal	Does not exist
	jammy	Does not exist
	mantic	Does not exist
	noble	Does not exist
	trusty	Ignored (end of standard support)
	upstream	Needs triage
	xenial	Needs triage

Severity score breakdown

Parameter	Value
Base score	8.1
Attack vector	Network
Attack complexity	High
Privileges required	None
User interaction	None
Scope	Unchanged
Confidentiality	High
Integrity impact	High
Availability impact	High
Vector	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References

https://github.com/glpi-project/glpi/security/advisories/GHSA-p995-jmfv-c7r8
https://github.com/glpi-project/glpi/commit/58c67d78f2e3ad08264213e9aaf56eab3c9ded35
https://github.com/glpi-project/glpi/releases/tag/10.0.12
https://www.cve.org/CVERecord?id=CVE-2023-51446
NVD
Launchpad
Debian

Join the discussion

Ubuntu security updates mailing list
Security announcements mailing list

Canonical is offering Expanded Security Maintenance

Canonical is offering Ubuntu Expanded Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM ›