CVE-2023-22500

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2023-22500

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-22500.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2023-22500

Aliases

GHSA-3ghv-p34r-5ghx

Downstream

UBUNTU-CVE-2023-22500

Published

2023-01-25T06:03:56.522Z

Modified

2025-12-04T23:37:49.993134Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

glpi Unauthorized access to inventory files

Details

GLPI is a Free Asset and IT Management Software package. Versions 10.0.0 and above, prior to 10.0.6 are vulnerable to Incorrect Authorization. This vulnerability allow unauthorized access to inventory files. Thus, if anonymous access to FAQ is allowed, inventory files are accessbile by unauthenticated users. This issue is patched in version 10.0.6. As a workaround, disable native inventory and delete inventory files from server (default location is files/_inventory).

Database specific

{
    "cwe_ids": [
        "CWE-863"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/22xxx/CVE-2023-22500.json",
    "cna_assigner": "GitHub_M"
}

References

Affected packages

Git / github.com/glpi-project/glpi

Affected ranges

Type: GIT
Repo: https://github.com/glpi-project/glpi
Events: Introduced

815997021a5df4feb7077a12f6f52769e9bd3459

Fixed

e2d0f893191952f35c6b1a6013418308e3e1dbc2

Affected versions

10.*

10.0.0

10.0.1

10.0.2

10.0.3

10.0.4

10.0.5