Insecure Encryption

Affecting glpi/glpi package, versions <9.5.0

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

Overview

glpi/glpi is a free Asset and IT Management Software package with ITIL Service Desk, licenses tracking and software auditing.

Affected versions of this package are vulnerable to Insecure Encryption. The security of the data encrypted relies on the password used, if a user sets a weak/predictable password, an attacker could decrypt data.

Remediation

Upgrade glpi/glpi to version 9.5.0 or higher.

References

CVSS Score

5.4
medium severity
  • Attack Vector
    Network
  • Attack Complexity
    Low
  • Privileges Required
    Low
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    None
  • Integrity
    Low
  • Availability
    Low
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L/E:U/RL:O/RC:R
Credit
Unknown
CVE
CVE-2020-11031
CWE
CWE-326
Snyk ID
SNYK-PHP-GLPIGLPI-1012558
Disclosed
24 Sep, 2020
Published
24 Sep, 2020