Vulnerability Description
GLPI is a free asset and IT management software package. Prior to version 9.5.7, an entity administrator is capable of retrieving normally inaccessible data via SQL injection. Version 9.5.7 contains a patch for this issue. As a workaround, disabling the `Entities` update right prevents exploitation of this vulnerability.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Glpi-Project | Glpi | < 9.5.7 |
Related Weaknesses (CWE)
References
- https://github.com/glpi-project/glpi/commit/5c3eee696b503fdf502f506b00d15cf5b324PatchThird Party Advisory
- https://github.com/glpi-project/glpi/releases/tag/9.5.7Release NotesThird Party Advisory
- https://github.com/glpi-project/glpi/security/advisories/GHSA-5hg4-r64r-rf83MitigationThird Party Advisory
- https://github.com/glpi-project/glpi/commit/5c3eee696b503fdf502f506b00d15cf5b324PatchThird Party Advisory
- https://github.com/glpi-project/glpi/releases/tag/9.5.7Release NotesThird Party Advisory
- https://github.com/glpi-project/glpi/security/advisories/GHSA-5hg4-r64r-rf83MitigationThird Party Advisory
FAQ
What is CVE-2022-21720?
CVE-2022-21720 is a vulnerability with a CVSS score of 4.9 (MEDIUM). GLPI is a free asset and IT management software package. Prior to version 9.5.7, an entity administrator is capable of retrieving normally inaccessible data via SQL injection. Version 9.5.7 contains a...
How severe is CVE-2022-21720?
CVE-2022-21720 has been rated MEDIUM with a CVSS base score of 4.9/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-21720?
Check the references section above for vendor advisories and patch information. Affected products include: Glpi-Project Glpi.