Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
5.3
CVSSv3

CVE-2020-5248

Published: 12/05/2020 Updated: 14/05/2020
CVSS v2 Base Score: 5 | Impact Score: 2.9 | Exploitability Score: 10
CVSS v3 Base Score: 5.3 | Impact Score: 1.4 | Exploitability Score: 3.9
VMScore: 446
Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N
Subscribe to Glpi-project

Vulnerability Summary

GLPI before before version 9.4.6 has a vulnerability involving a default encryption key. GLPIKEY is public and is used on every instance. This means anyone can decrypt sensitive data stored using this key. It is possible to change the key before installing GLPI. But on existing instances, data must be reencrypted with the new key. Problem is we can not know which columns or rows in the database are using that; espcially from plugins. Changing the key without updating data would lend in bad password sent from glpi; but storing them again from the UI will work.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

glpi-project glpi

Github Repositories

https://github.com/Mkway/CVE-2020-5248

CVE-2020-5248

CVE-2020-5248 POC 환경 구성 및 테스트 입니다 테스트 방법 환경 구성 vim docker/nginx/defaultconf server_name [docker host ip ]; -change mysqlserver: mysql id: root pw: root 실행 cd docker/app/ tar -xvf /docker/app/glpi-945tgz chmod -R 777 glpi docker-compose up -d g

https://github.com/devious-way/CVE-2020-5248

Proof of Concept (PoC) for CVE-2020-5248.

CVE-2020-5248 Proof of Concept (PoC) for CVE-2020-5248 Summary GLPI before before version 946 has a vulnerability involving a default encryption key GLPIKEY is public and is used on every instance This means anyone can decrypt sensitive data stored using this key It is possible to change the key before installing GLPI But on existing instances, data must be reencrypted w

https://github.com/indevi0us/CVE-2020-5248

Proof of Concept (PoC) for CVE-2020-5248.

CVE-2020-5248 Proof of Concept (PoC) for CVE-2020-5248 Summary GLPI before before version 946 has a vulnerability involving a default encryption key GLPIKEY is public and is used on every instance This means anyone can decrypt sensitive data stored using this key It is possible to change the key before installing GLPI But on existing instances, data must be reencrypted w

References

CWE-798https://github.com/glpi-project/glpi/security/advisories/GHSA-j222-j9mf-h6j9https://github.com/glpi-project/glpi/commit/efd14468c92c4da43333aa9735e65fd20cbc7c6chttps://nvd.nist.govhttps://github.com/Mkway/CVE-2020-5248
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2024-4040privilege escalationCVE-2024-4112CVE-2024-32872man-in-the-middleCVE-2024-32788bypassCVE-2024-3400CVE-2024-28976
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook