| Summary: | glpi new security issues CVE-2020-1103[3-6] | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | major | ||
| Priority: | Normal | CC: | andrewsfarm, herman.viaene, mageia, sysadmin-bugs, tmb |
| Version: | 7 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA7-64-OK | ||
| Source RPM: | glpi-9.4.5-1.1.mga7.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2020-05-14 22:56:49 CEST
David Walser
2020-05-14 22:57:02 CEST
Status comment:
(none) =>
Fixed upstream in 9.4.6 Pushed in updates testing. Advisory: ======================== A new version of libntlm. It fixes from CVE-2020-11033 to CVE-2020-11036 https://github.com/glpi-project/glpi/security/advisories/GHSA-rf54-3r4w-4h55 https://github.com/glpi-project/glpi/security/advisories/GHSA-gxv6-xq9q-37hg https://github.com/glpi-project/glpi/security/advisories/GHSA-w7q8-58qp-vmpf https://github.com/glpi-project/glpi/security/advisories/GHSA-3g3h-rwhr-7385 Updated packages in core/updates_testing: ======================== glpi-9.4.5-1.1.mga7 from: glpi-9.4.5-1.1.mga7 Status:
NEW =>
ASSIGNED Advisory: ======================== Updated glpi packages fix security vulnerabilities: In GLPI from version 9.1 and before version 9.4.6, any API user with READ right on User itemtype will have access to full list of users when querying apirest.php/User. The response contains: - All api_tokens which can be used to do privileges escalations or read/update/delete data normally non accessible to the current user. - All personal_tokens can display another users planning. Exploiting this vulnerability requires the api to be enabled, a technician account. It can be mitigated by adding an application token (CVE-2020-11033). In GLPI before version 9.4.6, there is a vulnerability that allows bypassing the open redirect protection based which is based on a regexp (CVE-2020-11034). In GLPI after version 0.83.3 and before version 9.4.6, the CSRF tokens are generated using an insecure algorithm. The implementation uses rand and uniqid and MD5 which does not provide secure values (CVE-2020-11035). In GLPI before version 9.4.6 there are multiple related stored XSS vulnerabilities. The package is vulnerable to Stored XSS in the comments of items in the Knowledge base. Adding a comment with content "<script>alert(1) </script>" reproduces the attack. This can be exploited by a user with administrator privileges in the User-Agent field. It can also be exploited by an outside party through the following steps: 1. Create a user with the surname `" onmouseover="alert(document.cookie)` and an empty first name. 2. With this user, create a ticket 3. As an administrator (or other privileged user) open the created ticket 4. On the "last update" field, put your mouse on the name of the user 5. The XSS fires (CVE-2020-11036). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11033 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11034 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11035 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11036 https://github.com/glpi-project/glpi/security/advisories/GHSA-rf54-3r4w-4h55 https://github.com/glpi-project/glpi/security/advisories/GHSA-gxv6-xq9q-37hg https://github.com/glpi-project/glpi/security/advisories/GHSA-w7q8-58qp-vmpf https://github.com/glpi-project/glpi/security/advisories/GHSA-3g3h-rwhr-7385 https://github.com/glpi-project/glpi/releases/tag/9.4.6 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/Q4BG2UTINBVV7MTJRXKBQ26GV2UINA6L/ Status comment:
Fixed upstream in 9.4.6 =>
(none) Nicolas, you didn't actually update the package. CC:
(none) =>
qa-bugs Modifying advisory since we patched it instead of updating. Advisory: ======================== Updated glpi packages fix security vulnerabilities: In GLPI from version 9.1 and before version 9.4.6, any API user with READ right on User itemtype will have access to full list of users when querying apirest.php/User. The response contains: - All api_tokens which can be used to do privileges escalations or read/update/delete data normally non accessible to the current user. - All personal_tokens can display another users planning. Exploiting this vulnerability requires the api to be enabled, a technician account. It can be mitigated by adding an application token (CVE-2020-11033). In GLPI before version 9.4.6, there is a vulnerability that allows bypassing the open redirect protection based which is based on a regexp (CVE-2020-11034). In GLPI after version 0.83.3 and before version 9.4.6, the CSRF tokens are generated using an insecure algorithm. The implementation uses rand and uniqid and MD5 which does not provide secure values (CVE-2020-11035). In GLPI before version 9.4.6 there are multiple related stored XSS vulnerabilities. The package is vulnerable to Stored XSS in the comments of items in the Knowledge base. Adding a comment with content "<script>alert(1) </script>" reproduces the attack. This can be exploited by a user with administrator privileges in the User-Agent field. It can also be exploited by an outside party through the following steps: 1. Create a user with the surname `" onmouseover="alert(document.cookie)` and an empty first name. 2. With this user, create a ticket 3. As an administrator (or other privileged user) open the created ticket 4. On the "last update" field, put your mouse on the name of the user 5. The XSS fires (CVE-2020-11036). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11033 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11034 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11035 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11036 https://github.com/glpi-project/glpi/security/advisories/GHSA-rf54-3r4w-4h55 https://github.com/glpi-project/glpi/security/advisories/GHSA-gxv6-xq9q-37hg https://github.com/glpi-project/glpi/security/advisories/GHSA-w7q8-58qp-vmpf https://github.com/glpi-project/glpi/security/advisories/GHSA-3g3h-rwhr-7385 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/Q4BG2UTINBVV7MTJRXKBQ26GV2UINA6L/ ======================== Updated packages in core/updates_testing: ======================== glpi-9.4.5-1.2.mga7 from glpi-9.4.5-1.2.mga7.src.rpm Assignee:
mageia =>
qa-bugs MGA7-64 Plasma on Lenovo B50 No installation issues. Ref to bugs 25931 and 21331 for testing, so: # systemctl start httpd # systemctl start mysqld $ mysql -u root -p Enter password: Welcome to the MariaDB monitor. Commands end with ; or \g. Your MariaDB connection id is 8 Server version: 10.3.22-MariaDB Mageia MariaDB Server Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. MariaDB [(none)]> create database dbbglpi character set utf8; Query OK, 1 row affected (0.001 sec) MariaDB [(none)]> grant all privileges on dbbglpi.* to glpi@localhost identified by 'glpi'; Query OK, 0 rows affected (0.001 sec) Pointed then firefox to localhost:glpi and completed the installation step successfully. OK for me. CC:
(none) =>
herman.viaene Validating. Advisory in Comment 4. Keywords:
(none) =>
validated_update
Thomas Backlund
2020-05-24 16:04:20 CEST
Keywords:
(none) =>
advisory An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0220.html Resolution:
(none) =>
FIXED |