The GLPI Agent is a generic management agent. A vulnerability that only affects GLPI-Agent installed on windows via MSI packaging can allow a local user to cause denial of agent service by replacing GLPI server url with a wrong url or disabling the service. Additionally, in the case the Deploy task is installed, a local malicious user can trigger privilege escalation configuring a malicious server providing its own deploy task payload. GLPI-Agent 1.7.2 contains a patch for this issue. As a workaround, edit GLPI-Agent related key under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall and add SystemComponent DWORD value setting it to 1 to hide GLPI-Agent from installed applications.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/28xxx/CVE-2024-28240.json",
"cwe_ids": [
"CWE-20"
],
"cna_assigner": "GitHub_M"
}{
"cpe": "cpe:2.3:a:glpi-project:glpi_agent:*:*:*:*:*:*:*:*",
"source": [
"CPE_RANGE",
"REFERENCES"
],
"extracted_events": [
{
"introduced": "0"
},
{
"fixed": "1.7.2"
}
]
}