CVE-2020-11031 Information

Description

In GLPI before version 9.5.0 the encryption algorithm used is insecure. The security of the data encrypted relies on the password used if a user sets a weak/predictable password an attacker could decrypt data. This is fixed in version 9.5.0 by using a more secure encryption library. The library chosen is sodium.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Reference

https://github.com/glpi-project/glpi/commit/f1ae6c8481e5c19a6f1801a5548cada45702e01adiff-b5d0ee8c97c7abd7e3fa29b9a27d1780 https://github.com/glpi-project/glpi/security/advisories/GHSA-7xwm-4vjr-jvqh

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

NONE

Base Score

NONE

Base Severity

7.5