Vulnerability Description
The GLPI Agent is a generic management agent. Prior to version 1.5, if glpi-agent is running remoteinventory task against an Unix platform with ssh command, an administrator user on the remote can manage to inject a command in a specific workflow the agent would run with the privileges it uses. In the case, the agent is running with administration privileges, a malicious user could gain high privileges on the computer glpi-agent is running on. A malicious user could also disclose all remote accesses the agent is configured with for remoteinventory task. This vulnerability has been patched in glpi-agent 1.5.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Glpi-Project | Glpi Agent | < 1.5 |
Related Weaknesses (CWE)
References
- https://github.com/glpi-project/glpi-agent/blob/dd313ee0914becf74c0e48cb51276521Patch
- https://github.com/glpi-project/glpi-agent/security/advisories/GHSA-39vc-hxgm-j4MitigationVendor Advisory
- https://github.com/glpi-project/glpi-agent/blob/dd313ee0914becf74c0e48cb51276521Patch
- https://github.com/glpi-project/glpi-agent/security/advisories/GHSA-39vc-hxgm-j4MitigationVendor Advisory
FAQ
What is CVE-2023-34254?
CVE-2023-34254 is a vulnerability with a CVSS score of 7.6 (HIGH). The GLPI Agent is a generic management agent. Prior to version 1.5, if glpi-agent is running remoteinventory task against an Unix platform with ssh command, an administrator user on the remote can man...
How severe is CVE-2023-34254?
CVE-2023-34254 has been rated HIGH with a CVSS base score of 7.6/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-34254?
Check the references section above for vendor advisories and patch information. Affected products include: Glpi-Project Glpi Agent.