161 lines
6.8 KiB
JSON
161 lines
6.8 KiB
JSON
{
|
||
"Definition": [
|
||
{
|
||
"ID": "oval:org.altlinux.errata:def:20222221",
|
||
"Version": "oval:org.altlinux.errata:def:20222221",
|
||
"Class": "patch",
|
||
"Metadata": {
|
||
"Title": "ALT-PU-2022-2221: package `glpi` update to version 9.5.8-alt1",
|
||
"AffectedList": [
|
||
{
|
||
"Family": "unix",
|
||
"Platforms": [
|
||
"ALT Linux branch p9"
|
||
],
|
||
"Products": [
|
||
"ALT Server",
|
||
"ALT Virtualization Server",
|
||
"ALT Workstation",
|
||
"ALT Workstation K",
|
||
"ALT Education",
|
||
"Simply Linux",
|
||
"Starterkit"
|
||
]
|
||
}
|
||
],
|
||
"References": [
|
||
{
|
||
"RefID": "ALT-PU-2022-2221",
|
||
"RefURL": "https://errata.altlinux.org/ALT-PU-2022-2221",
|
||
"Source": "ALTPU"
|
||
},
|
||
{
|
||
"RefID": "BDU:2022-04910",
|
||
"RefURL": "https://bdu.fstec.ru/vul/2022-04910",
|
||
"Source": "BDU"
|
||
},
|
||
{
|
||
"RefID": "CVE-2022-24868",
|
||
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2022-24868",
|
||
"Source": "CVE"
|
||
},
|
||
{
|
||
"RefID": "CVE-2022-24869",
|
||
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2022-24869",
|
||
"Source": "CVE"
|
||
},
|
||
{
|
||
"RefID": "CVE-2022-31061",
|
||
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2022-31061",
|
||
"Source": "CVE"
|
||
}
|
||
],
|
||
"Description": "This update upgrades glpi to version 9.5.8-alt1. \nSecurity Fix(es):\n\n * BDU:2022-04910: Уязвимость системы работы с заявками и инцидентами GLPI, связанная с непринятием мер по защите структуры веб-страницы, позволяющая нарушителю осуществлять межсайтовые сценарные атаки\n\n * CVE-2022-24868: GLPI is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In versions prior to 10.0.0 one can exploit a lack of sanitization on SVG file uploads and inject javascript into their user avatar. As a result any user viewing the avatar will be subject to a cross site scripting attack. Users of GLPI are advised to upgrade. Users unable to upgrade should disallow SVG avatars.\n\n * CVE-2022-24869: GLPI is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In versions prior to 10.0.0 one can use ticket's followups or setup login messages with a stylesheet link. This may allow for a cross site scripting attack vector. This issue is partially mitigated by cors security of browsers, though users are still advised to upgrade.\n\n * CVE-2022-31061: GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. In affected versions there is a SQL injection vulnerability which is possible on login page. No user credentials are required to exploit this vulnerability. Users are advised to upgrade as soon as possible. There are no known workarounds for this issue.",
|
||
"Advisory": {
|
||
"From": "errata.altlinux.org",
|
||
"Severity": "Critical",
|
||
"Rights": "Copyright 2023 BaseALT Ltd.",
|
||
"Issued": {
|
||
"Date": "2022-07-11"
|
||
},
|
||
"Updated": {
|
||
"Date": "2022-07-11"
|
||
},
|
||
"bdu": [
|
||
{
|
||
"Cvss": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
|
||
"Cvss3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
|
||
"Cwe": "CWE-89",
|
||
"Href": "https://bdu.fstec.ru/vul/2022-04910",
|
||
"Impact": "Critical",
|
||
"Public": "20220628",
|
||
"CveID": "BDU:2022-04910"
|
||
}
|
||
],
|
||
"Cves": [
|
||
{
|
||
"Cvss": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
|
||
"Cvss3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
|
||
"Cwe": "CWE-79",
|
||
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2022-24868",
|
||
"Impact": "Low",
|
||
"Public": "20220421",
|
||
"CveID": "CVE-2022-24868"
|
||
},
|
||
{
|
||
"Cvss": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
|
||
"Cvss3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
|
||
"Cwe": "CWE-79",
|
||
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2022-24869",
|
||
"Impact": "Low",
|
||
"Public": "20220421",
|
||
"CveID": "CVE-2022-24869"
|
||
},
|
||
{
|
||
"Cvss": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
|
||
"Cvss3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
|
||
"Cwe": "CWE-89",
|
||
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2022-31061",
|
||
"Impact": "Critical",
|
||
"Public": "20220628",
|
||
"CveID": "CVE-2022-31061"
|
||
}
|
||
],
|
||
"AffectedCpeList": {
|
||
"Cpe": [
|
||
"cpe:/o:alt:kworkstation:9",
|
||
"cpe:/o:alt:workstation:9",
|
||
"cpe:/o:alt:server:9",
|
||
"cpe:/o:alt:server-v:9",
|
||
"cpe:/o:alt:education:9",
|
||
"cpe:/o:alt:slinux:9",
|
||
"cpe:/o:alt:starterkit:p9",
|
||
"cpe:/o:alt:kworkstation:9.1",
|
||
"cpe:/o:alt:workstation:9.1",
|
||
"cpe:/o:alt:server:9.1",
|
||
"cpe:/o:alt:server-v:9.1",
|
||
"cpe:/o:alt:education:9.1",
|
||
"cpe:/o:alt:slinux:9.1",
|
||
"cpe:/o:alt:starterkit:9.1",
|
||
"cpe:/o:alt:kworkstation:9.2",
|
||
"cpe:/o:alt:workstation:9.2",
|
||
"cpe:/o:alt:server:9.2",
|
||
"cpe:/o:alt:server-v:9.2",
|
||
"cpe:/o:alt:education:9.2",
|
||
"cpe:/o:alt:slinux:9.2",
|
||
"cpe:/o:alt:starterkit:9.2"
|
||
]
|
||
}
|
||
}
|
||
},
|
||
"Criteria": {
|
||
"Operator": "AND",
|
||
"Criterions": [
|
||
{
|
||
"TestRef": "oval:org.altlinux.errata:tst:1001",
|
||
"Comment": "ALT Linux must be installed"
|
||
}
|
||
],
|
||
"Criterias": [
|
||
{
|
||
"Operator": "OR",
|
||
"Criterions": [
|
||
{
|
||
"TestRef": "oval:org.altlinux.errata:tst:20222221001",
|
||
"Comment": "glpi is earlier than 0:9.5.8-alt1"
|
||
},
|
||
{
|
||
"TestRef": "oval:org.altlinux.errata:tst:20222221002",
|
||
"Comment": "glpi-apache2 is earlier than 0:9.5.8-alt1"
|
||
},
|
||
{
|
||
"TestRef": "oval:org.altlinux.errata:tst:20222221003",
|
||
"Comment": "glpi-php7 is earlier than 0:9.5.8-alt1"
|
||
}
|
||
]
|
||
}
|
||
]
|
||
}
|
||
}
|
||
]
|
||
} |