Vulnerability Details : CVE-2022-31143
GLPI stands for Gestionnaire Libre de Parc Informatique and is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. It was found that in affected versions there is an exposure of private information defined in setup of GLPI (like smtp or cas hosts). Note that passwords are not exposed. Users are advised to upgrade to version 10.0.3. There are no known workarounds for this issue.
Vulnerability category: Information leak
Products affected by CVE-2022-31143
- cpe:2.3:a:glpi-project:glpi:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-31143
0.07%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 33 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-31143
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.3
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
3.9
|
1.4
|
NIST | |
5.3
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
3.9
|
1.4
|
GitHub, Inc. |
CWE ids for CVE-2022-31143
-
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.Assigned by: security-advisories@github.com (Primary)
References for CVE-2022-31143
-
https://github.com/glpi-project/glpi/security/advisories/GHSA-6mmq-x3j2-677j
Leak of sensitive informations through login page error · Advisory · glpi-project/glpi · GitHubThird Party Advisory
-
https://github.com/glpi-project/glpi/commit/e66a0dfe697cbd4b3ec22736a8f8fd025a28f978
Do not expose CFG_GLPI on anonymous page · glpi-project/glpi@e66a0df · GitHubPatch;Third Party Advisory
Jump to