MGASA-2020-0220 - Updated glpi packages fix security vulnerabilities

Publication date: 24 May 2020
URL: https://advisories.mageia.org/MGASA-2020-0220.html
Type: security
Affected Mageia releases: 7
CVE: CVE-2020-11033,
     CVE-2020-11034,
     CVE-2020-11035,
     CVE-2020-11036

Updated glpi packages fix security vulnerabilities:

In GLPI from version 9.1 and before version 9.4.6, any API user with READ
right on User itemtype will have access to full list of users when querying
apirest.php/User. The response contains: - All api_tokens which can be used
to do privileges escalations or read/update/delete data normally non
accessible to the current user. - All personal_tokens can display another
users planning. Exploiting this vulnerability requires the api to be
enabled, a technician account. It can be mitigated by adding an application
token (CVE-2020-11033).

In GLPI before version 9.4.6, there is a vulnerability that allows
bypassing the open redirect protection based which is based on a regexp
(CVE-2020-11034).

In GLPI after version 0.83.3 and before version 9.4.6, the CSRF tokens are
generated using an insecure algorithm. The implementation uses rand and
uniqid and MD5 which does not provide secure values (CVE-2020-11035).

In GLPI before version 9.4.6 there are multiple related stored XSS
vulnerabilities. The package is vulnerable to Stored XSS in the comments of
items in the Knowledge base. Adding a comment with content "" reproduces the attack. This can be exploited by a user with
administrator privileges in the User-Agent field. It can also be exploited
by an outside party through the following steps: 1. Create a user with the
surname `" onmouseover="alert(document.cookie)` and an empty first name. 2.
With this user, create a ticket 3. As an administrator (or other privileged
user) open the created ticket 4. On the "last update" field, put your mouse
on the name of the user 5. The XSS fires (CVE-2020-11036).

References:
- https://bugs.mageia.org/show_bug.cgi?id=26625
- https://github.com/glpi-project/glpi/security/advisories/GHSA-rf54-3r4w-4h55
- https://github.com/glpi-project/glpi/security/advisories/GHSA-gxv6-xq9q-37hg
- https://github.com/glpi-project/glpi/security/advisories/GHSA-w7q8-58qp-vmpf
- https://github.com/glpi-project/glpi/security/advisories/GHSA-3g3h-rwhr-7385
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/Q4BG2UTINBVV7MTJRXKBQ26GV2UINA6L/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11033
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11034
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11035
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11036

SRPMS:
- 7/core/glpi-9.4.5-1.2.mga7

Mageia 2020-0220: glpi security update

Updated glpi packages fix security vulnerabilities: In GLPI from version 9.1 and before version 9.4.6, any API user with READ right on User itemtype will have access to full list ...

Summary

Updated glpi packages fix security vulnerabilities:
In GLPI from version 9.1 and before version 9.4.6, any API user with READ right on User itemtype will have access to full list of users when querying apirest.php/User. The response contains: - All api_tokens which can be used to do privileges escalations or read/update/delete data normally non accessible to the current user. - All personal_tokens can display another users planning. Exploiting this vulnerability requires the api to be enabled, a technician account. It can be mitigated by adding an application token (CVE-2020-11033).
In GLPI before version 9.4.6, there is a vulnerability that allows bypassing the open redirect protection based which is based on a regexp (CVE-2020-11034).
In GLPI after version 0.83.3 and before version 9.4.6, the CSRF tokens are generated using an insecure algorithm. The implementation uses rand and uniqid and MD5 which does not provide secure values (CVE-2020-11035).
In GLPI before version 9.4.6 there are multiple related stored XSS vulnerabilities. The package is vulnerable to Stored XSS in the comments of items in the Knowledge base. Adding a comment with content "" reproduces the attack. This can be exploited by a user with administrator privileges in the User-Agent field. It can also be exploited by an outside party through the following steps: 1. Create a user with the surname `" onmouseover="alert(document.cookie)` and an empty first name. 2. With this user, create a ticket 3. As an administrator (or other privileged user) open the created ticket 4. On the "last update" field, put your mouse on the name of the user 5. The XSS fires (CVE-2020-11036).

References

- https://bugs.mageia.org/show_bug.cgi?id=26625

- https://github.com/glpi-project/glpi/security/advisories/GHSA-rf54-3r4w-4h55

- https://github.com/glpi-project/glpi/security/advisories/GHSA-gxv6-xq9q-37hg

- https://github.com/glpi-project/glpi/security/advisories/GHSA-w7q8-58qp-vmpf

- https://github.com/glpi-project/glpi/security/advisories/GHSA-3g3h-rwhr-7385

- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/Q4BG2UTINBVV7MTJRXKBQ26GV2UINA6L/

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11033

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11034

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11035

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11036

Resolution

MGASA-2020-0220 - Updated glpi packages fix security vulnerabilities

SRPMS

- 7/core/glpi-9.4.5-1.2.mga7

Severity
Publication date: 24 May 2020
URL: https://advisories.mageia.org/MGASA-2020-0220.html
Type: security
CVE: CVE-2020-11033, CVE-2020-11034, CVE-2020-11035, CVE-2020-11036

Related News

5.ShakingHands Esm H320
Linus Torvalds Addresses Malicious Developers, Hardware Errors and More at Open Source Summit
2 - 3 min read
Apr 18, 2024
At The Linux Foundation's Open Source Summit North America , Linus Torvalds, the creator of Linux, discussed various topics related to Linux
30.Lock Globe Motherboard Esm H320
SPDX 3.0 Revolutionizes Software Management & Security
1 - 2 min read
Apr 17, 2024
The SPDX 3.0 release marks a significant milestone in software management, particularly for Linux admins, infosec professionals, internet security
11.Locks IsometricPattern Esm H320
xz-style Attacks Continue to Target Open-Source Maintainers
2 - 3 min read
Apr 16, 2024
Open Source maintainers and developers have been warned about the continued wave of attacks aimed at project maintainers similar to those recently
28.Lock Globe Esm H320
Threat Actors Are Actively Using Pupy RAT Malware to Attack Linux Systems
1 - 2 min read
Apr 15, 2024
A resurgence of cyberattacks targeting Linux systems in Asian campaigns through the utilization of the Pupy Remote Access Trojan (RAT) has been
27.Tablet Connections Blocks Lock Esm H320
Ubuntu Linux 24.04 LTS Beta Released with Enhanced Security & Performance
2 - 4 min read
Apr 15, 2024
Canonical has recently announced the Beta release of Ubuntu Linux 24.04 LTS , codenamed "Noble Numbat." This release aims to continue Ubuntu's
21.Globe RadiatingCode Esm H320
Growth in Open Source Use Among Businesses Analyzed
2 - 3 min read
Apr 12, 2024
The open-source movement has come a long way, from its origins in the 1960s and 1970s to becoming an integral part of organizations worldwide.
13.Lock StylizedMotherboard Esm H320
Rust-Based Edera: Locking Down Container Security Once and For All
2 - 3 min read
Apr 12, 2024
The Rust-based Edera project demonstrates a unique approach to container security that addresses cloud-native computing challenges. Let's examine
8.Locks HexConnections CodeGlobe Esm H320
Canonical launches Ubuntu Pro for IoT Devices
2 - 3 min read
Apr 10, 2024
Canonical has launched Ubuntu Pro for Devices , a comprehensive offering emphasizing security and compliance for IoT device deployments. This
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved