Vulnerability Description
In GLPI before version 9.5.0, the encryption algorithm used is insecure. The security of the data encrypted relies on the password used, if a user sets a weak/predictable password, an attacker could decrypt data. This is fixed in version 9.5.0 by using a more secure encryption library. The library chosen is sodium.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Glpi-Project | Glpi | < 9.5.0 |
Related Weaknesses (CWE)
References
- https://github.com/glpi-project/glpi/commit/f1ae6c8481e5c19a6f1801a5548cada45702PatchThird Party Advisory
- https://github.com/glpi-project/glpi/security/advisories/GHSA-7xwm-4vjr-jvqhThird Party Advisory
- https://github.com/glpi-project/glpi/commit/f1ae6c8481e5c19a6f1801a5548cada45702PatchThird Party Advisory
- https://github.com/glpi-project/glpi/security/advisories/GHSA-7xwm-4vjr-jvqhThird Party Advisory
FAQ
What is CVE-2020-11031?
CVE-2020-11031 is a vulnerability with a CVSS score of 7.8 (HIGH). In GLPI before version 9.5.0, the encryption algorithm used is insecure. The security of the data encrypted relies on the password used, if a user sets a weak/predictable password, an attacker could d...
How severe is CVE-2020-11031?
CVE-2020-11031 has been rated HIGH with a CVSS base score of 7.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-11031?
Check the references section above for vendor advisories and patch information. Affected products include: Glpi-Project Glpi.