ALT Linux Team

Branch p10_e2k update on 2024-04-01

2024-04-01

ALT-BU-2024-4885-1

Branch p10_e2k update bulletin.

ALT-PU-2024-4882-1

Package ansible updated to version 2.9.27-alt3.p10.2 for branch p10_e2k.

Closed bugs

Bug #49182

ansible 2.9 does not work with python 3.12

ALT-PU-2024-4884-1

Package glpi updated to version 10.0.14-alt1 for branch p10_e2k.

Closed vulnerabilities

Published: 2024-03-13

BDU:2024-02142

Уязвимость системы заявок, инцидентов и инвентаризации компьютерного оборудования GLPI, связанная с непринятием мер по защите структуры веб-страницы, позволяющая нарушителю выполнить произвольный SQL-код

Severity: HIGH (7.7) Vector: AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
References:
Published: 2024-03-13

BDU:2024-02268

Уязвимость системы заявок, инцидентов и инвентаризации компьютерного оборудования GLPI, связанная с недостатками процедуры авторизации, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации

Severity: MEDIUM (6.5) Vector: AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
References:
Published: 2024-03-18
Modified: 2025-01-02

CVE-2024-27096

GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. An authenticated user can exploit a SQL injection vulnerability in the search engine to extract data from the database. This issue has been patched in version 10.0.13.

Severity: MEDIUM (6.5) Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
References:
Published: 2024-03-18
Modified: 2025-01-02

CVE-2024-27098

GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. An authenticated user can execute a SSRF based attack using Arbitrary Object Instantiation. This issue has been patched in version 10.0.13.

Severity: CRITICAL (9.6) Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
References:
Published: 2024-03-18
Modified: 2025-01-02

CVE-2024-27104

GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. A user with rights to create and share dashboards can build a dashboard containing javascript code. Any user that will open this dashboard will be subject to an XSS attack. This issue has been patched in version 10.0.13.

Severity: MEDIUM (4.8) Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
References:
Published: 2024-03-18
Modified: 2025-01-02

CVE-2024-27914

GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. An unauthenticated user can provide a malicious link to a GLPI administrator in order to exploit a reflected XSS vulnerability. The XSS will only trigger if the administrator navigates through the debug bar. This issue has been patched in version 10.0.13.

Severity: MEDIUM (6.1) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
References:
Published: 2024-03-18
Modified: 2025-01-02

CVE-2024-27930

GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. An authenticated user can access sensitive fields data from items on which he has read access. This issue has been patched in version 10.0.13.

Severity: MEDIUM (6.5) Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
References:
Published: 2024-03-18
Modified: 2025-01-02

CVE-2024-27937

GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. An authenticated user can obtain the email address of all GLPI users. This issue has been patched in version 10.0.13.

Severity: MEDIUM (4.3) Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
References:
VKontakte | Telegram | YouTube | Forum | GitHub | Bugzilla
Version: 2.1.0
Back to top