156 lines
6.2 KiB
JSON
156 lines
6.2 KiB
JSON
{
|
|
"Definition": [
|
|
{
|
|
"ID": "oval:org.altlinux.errata:def:20231537",
|
|
"Version": "oval:org.altlinux.errata:def:20231537",
|
|
"Class": "patch",
|
|
"Metadata": {
|
|
"Title": "ALT-PU-2023-1537: package `glpi` update to version 9.5.12-alt1",
|
|
"AffectedList": [
|
|
{
|
|
"Family": "unix",
|
|
"Platforms": [
|
|
"ALT Linux branch p9"
|
|
],
|
|
"Products": [
|
|
"ALT Server",
|
|
"ALT Virtualization Server",
|
|
"ALT Workstation",
|
|
"ALT Workstation K",
|
|
"ALT Education",
|
|
"Simply Linux",
|
|
"Starterkit"
|
|
]
|
|
}
|
|
],
|
|
"References": [
|
|
{
|
|
"RefID": "ALT-PU-2023-1537",
|
|
"RefURL": "https://errata.altlinux.org/ALT-PU-2023-1537",
|
|
"Source": "ALTPU"
|
|
},
|
|
{
|
|
"RefID": "CVE-2022-41941",
|
|
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2022-41941",
|
|
"Source": "CVE"
|
|
},
|
|
{
|
|
"RefID": "CVE-2023-22722",
|
|
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2023-22722",
|
|
"Source": "CVE"
|
|
},
|
|
{
|
|
"RefID": "CVE-2023-22725",
|
|
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2023-22725",
|
|
"Source": "CVE"
|
|
},
|
|
{
|
|
"RefID": "CVE-2023-23610",
|
|
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2023-23610",
|
|
"Source": "CVE"
|
|
}
|
|
],
|
|
"Description": "This update upgrades glpi to version 9.5.12-alt1. \nSecurity Fix(es):\n\n * CVE-2022-41941: GLPI is a Free Asset and IT Management Software package. Versions 10.0.0 and above, prior to 10.0.6, are subject to Cross-site Scripting. An administrator may store malicious code in help links. This issue is patched in 10.0.6.\n\n * CVE-2023-22722: GLPI is a Free Asset and IT Management Software package. Versions 9.4.0 and above, prior to 10.0.6 are subject to Cross-site Scripting. An attacker can persuade a victim into opening a URL containing a payload exploiting this vulnerability. After exploited, the attacker can make actions as the victim or exfiltrate session cookies. This issue is patched in version 10.0.6.\n\n * CVE-2023-22725: GLPI is a Free Asset and IT Management Software package. Versions 0.6.0 and above, prior to 10.0.6 are vulnerable to Cross-site Scripting. This vulnerability allow for an administrator to create a malicious external link. This issue is patched in 10.0.6.\n\n * CVE-2023-23610: GLPI is a Free Asset and IT Management Software package. Versions prior to 9.5.12 and 10.0.6 are vulnerable to Improper Privilege Management. Any user having access to the standard interface can export data of almost any GLPI item type, even those on which user is not allowed to access (including assets, tickets, users, ...). This issue is patched in 10.0.6.",
|
|
"Advisory": {
|
|
"From": "errata.altlinux.org",
|
|
"Severity": "Low",
|
|
"Rights": "Copyright 2023 BaseALT Ltd.",
|
|
"Issued": {
|
|
"Date": "2023-03-29"
|
|
},
|
|
"Updated": {
|
|
"Date": "2023-03-29"
|
|
},
|
|
"bdu": null,
|
|
"Cves": [
|
|
{
|
|
"Cvss3": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
|
|
"Cwe": "CWE-79",
|
|
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2022-41941",
|
|
"Impact": "Low",
|
|
"Public": "20230126",
|
|
"CveID": "CVE-2022-41941"
|
|
},
|
|
{
|
|
"Cvss3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
|
|
"Cwe": "CWE-79",
|
|
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2023-22722",
|
|
"Impact": "Low",
|
|
"Public": "20230126",
|
|
"CveID": "CVE-2023-22722"
|
|
},
|
|
{
|
|
"Cvss3": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
|
|
"Cwe": "CWE-79",
|
|
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2023-22725",
|
|
"Impact": "Low",
|
|
"Public": "20230126",
|
|
"CveID": "CVE-2023-22725"
|
|
},
|
|
{
|
|
"Cvss3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
|
|
"Cwe": "CWE-732",
|
|
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2023-23610",
|
|
"Impact": "Low",
|
|
"Public": "20230126",
|
|
"CveID": "CVE-2023-23610"
|
|
}
|
|
],
|
|
"AffectedCpeList": {
|
|
"Cpe": [
|
|
"cpe:/o:alt:kworkstation:9",
|
|
"cpe:/o:alt:workstation:9",
|
|
"cpe:/o:alt:server:9",
|
|
"cpe:/o:alt:server-v:9",
|
|
"cpe:/o:alt:education:9",
|
|
"cpe:/o:alt:slinux:9",
|
|
"cpe:/o:alt:starterkit:p9",
|
|
"cpe:/o:alt:kworkstation:9.1",
|
|
"cpe:/o:alt:workstation:9.1",
|
|
"cpe:/o:alt:server:9.1",
|
|
"cpe:/o:alt:server-v:9.1",
|
|
"cpe:/o:alt:education:9.1",
|
|
"cpe:/o:alt:slinux:9.1",
|
|
"cpe:/o:alt:starterkit:9.1",
|
|
"cpe:/o:alt:kworkstation:9.2",
|
|
"cpe:/o:alt:workstation:9.2",
|
|
"cpe:/o:alt:server:9.2",
|
|
"cpe:/o:alt:server-v:9.2",
|
|
"cpe:/o:alt:education:9.2",
|
|
"cpe:/o:alt:slinux:9.2",
|
|
"cpe:/o:alt:starterkit:9.2"
|
|
]
|
|
}
|
|
}
|
|
},
|
|
"Criteria": {
|
|
"Operator": "AND",
|
|
"Criterions": [
|
|
{
|
|
"TestRef": "oval:org.altlinux.errata:tst:1001",
|
|
"Comment": "ALT Linux must be installed"
|
|
}
|
|
],
|
|
"Criterias": [
|
|
{
|
|
"Operator": "OR",
|
|
"Criterions": [
|
|
{
|
|
"TestRef": "oval:org.altlinux.errata:tst:20231537001",
|
|
"Comment": "glpi is earlier than 0:9.5.12-alt1"
|
|
},
|
|
{
|
|
"TestRef": "oval:org.altlinux.errata:tst:20231537002",
|
|
"Comment": "glpi-apache2 is earlier than 0:9.5.12-alt1"
|
|
},
|
|
{
|
|
"TestRef": "oval:org.altlinux.errata:tst:20231537003",
|
|
"Comment": "glpi-php7 is earlier than 0:9.5.12-alt1"
|
|
}
|
|
]
|
|
}
|
|
]
|
|
}
|
|
}
|
|
]
|
|
} |