MGASA-2020-0220 - Updated glpi packages fix security vulnerabilities

Publication date: 24 May 2020
URL: https://advisories.mageia.org/MGASA-2020-0220.html
Type: security
Affected Mageia releases: 7
CVE: CVE-2020-11033,
     CVE-2020-11034,
     CVE-2020-11035,
     CVE-2020-11036

Updated glpi packages fix security vulnerabilities:

In GLPI from version 9.1 and before version 9.4.6, any API user with READ
right on User itemtype will have access to full list of users when querying
apirest.php/User. The response contains: - All api_tokens which can be used
to do privileges escalations or read/update/delete data normally non
accessible to the current user. - All personal_tokens can display another
users planning. Exploiting this vulnerability requires the api to be
enabled, a technician account. It can be mitigated by adding an application
token (CVE-2020-11033).

In GLPI before version 9.4.6, there is a vulnerability that allows
bypassing the open redirect protection based which is based on a regexp
(CVE-2020-11034).

In GLPI after version 0.83.3 and before version 9.4.6, the CSRF tokens are
generated using an insecure algorithm. The implementation uses rand and
uniqid and MD5 which does not provide secure values (CVE-2020-11035).

In GLPI before version 9.4.6 there are multiple related stored XSS
vulnerabilities. The package is vulnerable to Stored XSS in the comments of
items in the Knowledge base. Adding a comment with content "" reproduces the attack. This can be exploited by a user with
administrator privileges in the User-Agent field. It can also be exploited
by an outside party through the following steps: 1. Create a user with the
surname `" onmouseover="alert(document.cookie)` and an empty first name. 2.
With this user, create a ticket 3. As an administrator (or other privileged
user) open the created ticket 4. On the "last update" field, put your mouse
on the name of the user 5. The XSS fires (CVE-2020-11036).

References:
- https://bugs.mageia.org/show_bug.cgi?id=26625
- https://github.com/glpi-project/glpi/security/advisories/GHSA-rf54-3r4w-4h55
- https://github.com/glpi-project/glpi/security/advisories/GHSA-gxv6-xq9q-37hg
- https://github.com/glpi-project/glpi/security/advisories/GHSA-w7q8-58qp-vmpf
- https://github.com/glpi-project/glpi/security/advisories/GHSA-3g3h-rwhr-7385
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/Q4BG2UTINBVV7MTJRXKBQ26GV2UINA6L/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11033
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11034
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11035
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11036

SRPMS:
- 7/core/glpi-9.4.5-1.2.mga7

Mageia 2020-0220: glpi security update

Updated glpi packages fix security vulnerabilities: In GLPI from version 9.1 and before version 9.4.6, any API user with READ right on User itemtype will have access to full list ...

Summary

Updated glpi packages fix security vulnerabilities:
In GLPI from version 9.1 and before version 9.4.6, any API user with READ right on User itemtype will have access to full list of users when querying apirest.php/User. The response contains: - All api_tokens which can be used to do privileges escalations or read/update/delete data normally non accessible to the current user. - All personal_tokens can display another users planning. Exploiting this vulnerability requires the api to be enabled, a technician account. It can be mitigated by adding an application token (CVE-2020-11033).
In GLPI before version 9.4.6, there is a vulnerability that allows bypassing the open redirect protection based which is based on a regexp (CVE-2020-11034).
In GLPI after version 0.83.3 and before version 9.4.6, the CSRF tokens are generated using an insecure algorithm. The implementation uses rand and uniqid and MD5 which does not provide secure values (CVE-2020-11035).
...

Read the Full Advisory

References

- https://bugs.mageia.org/show_bug.cgi?id=26625

- https://github.com/glpi-project/glpi/security/advisories/GHSA-rf54-3r4w-4h55

- https://github.com/glpi-project/glpi/security/advisories/GHSA-gxv6-xq9q-37hg

- https://github.com/glpi-project/glpi/security/advisories/GHSA-w7q8-58qp-vmpf

- https://github.com/glpi-project/glpi/security/advisories/GHSA-3g3h-rwhr-7385

- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/Q4BG2UTINBVV7MTJRXKBQ26GV2UINA6L/

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11033

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11034

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11035

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11036

Resolution

MGASA-2020-0220 - Updated glpi packages fix security vulnerabilities

SRPMS

- 7/core/glpi-9.4.5-1.2.mga7

Severity
Publication date: 24 May 2020
URL: https://advisories.mageia.org/MGASA-2020-0220.html
Type: security
CVE: CVE-2020-11033, CVE-2020-11034, CVE-2020-11035, CVE-2020-11036

Related News

The End of the Road for Linux 6.11: A Call to Upgrade to Kernel 6.12
The End of the Road for Linux 6.11: A Call to Upgrade to Kernel 6.12
3 - 5 min read
Dec 06, 2024
The Linux kernel community recently issued an EOL announcement regarding the 6.11 kernel series, urging sysadmins to upgrade quickly to 6.12 . This
A Linux Admin
A Linux Admin's Guide to Tackling Emerging Cloud-Native Security Risks
3 - 6 min read
Dec 05, 2024
As 2025 approaches, we Linux admins are facing new and often unseen cloud-native security obstacles. While skilled at mitigating known risks,
Leveraging Insights from the Linux Foundation
Leveraging Insights from the Linux Foundation's Census III Report for More Secure Linux Administration
3 - 5 min read
Dec 05, 2024
The Linux Foundation's recent Census III report provides critical insights for Linux administrators, information security professionals, and anyone
Chrome 131 Released: Emergency Security Update Fixes Over a Dozen Significant Vulns
Chrome 131 Released: Emergency Security Update Fixes Over a Dozen Significant Vulns
3 - 6 min read
Dec 04, 2024
Google recently unveiled a critical security update to their popular web browser, Google Chrome, addressing over a dozen significant security
From Wayland Fixes to Security Boosts: Examining Qt 6.8.1
From Wayland Fixes to Security Boosts: Examining Qt 6.8.1's Impact on Linux Administration
3 - 6 min read
Dec 03, 2024
The recent Qt 6.8.1 release brings significant updates and improvements, strengthening its reputation as a secure and reliable application
Exploring Arch Linux 2024.12.01: Security Implications & Notable Enhancements for Linux Admins
Exploring Arch Linux 2024.12.01: Security Implications & Notable Enhancements for Linux Admins
3 - 6 min read
Dec 03, 2024
The Arch Linux 2024.12.01 ISO release marks an impressive milestone, offering cutting-edge updates that enhance functionality, streamline
Deck the Halls with Enhanced Security: Linux Kernel 6.13
Deck the Halls with Enhanced Security: Linux Kernel 6.13's Top Features & Improvements
3 - 5 min read
Dec 02, 2024
As Linux admins and infosec professionals prepare for the holiday season, there's much cause for celebration this year! Linus Torvalds recently made
Lessons from Bootkitty: Securing Linux Systems Against UEFI Intrusions
Lessons from Bootkitty: Securing Linux Systems Against UEFI Intrusions
3 - 5 min read
Dec 02, 2024
New Linux security threats mark critical junctures that challenge existing policies and test security protocols to their limit. One such milestone

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved