CVE-2020-5248

Public GLPIKEY can be used to decrypt any data in GLPI

Severity Score

5.3

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

GLPI before before version 9.4.6 has a vulnerability involving a default encryption key. GLPIKEY is public and is used on every instance. This means anyone can decrypt sensitive data stored using this key. It is possible to change the key before installing GLPI. But on existing instances, data must be reencrypted with the new key. Problem is we can not know which columns or rows in the database are using that; espcially from plugins. Changing the key without updating data would lend in bad password sent from glpi; but storing them again from the UI will work.

GLPI versiones anteriores a 9.4.6, presenta una vulnerabilidad que involucra una clave de cifrado predeterminada. GLPIKEY es pública y es usada en todas las instancias. Esto significa que cualquier persona puede descifrar los datos confidenciales almacenados usando esta clave. Es posible cambiar la clave antes de instalar GLPI. Pero en las instancias presentes, los datos deben ser reencriptados con la nueva clave. El problema es que no podemos saber qué columnas o filas de la base de datos están usando eso; especialmente de los plugins. Cambiar la clave sin actualizar los datos resultaría en una mala contraseña enviada desde el GLPI; pero almacenarla de nuevo desde la Interfaz de Usuario funcionará.

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

Attack Vector

Local

Attack Complexity

High

Privileges Required

High

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

None

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2020-01-02 CVE Reserved
2020-05-12 CVE Published
2021-07-29 First Exploit
2023-03-08 EPSS Updated
2024-08-04 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-798: Use of Hard-coded Credentials

CAPEC

References (4)

URL	Tag	Source
https://github.com/glpi-project/glpi/security/advisories/GHSA-j222-j9mf-h6j9	Mitigation

URL	Date	SRC
https://github.com/indevi0us/CVE-2020-5248	2022-12-14
https://github.com/Mkway/CVE-2020-5248	2021-07-29

URL	Date	SRC
https://github.com/glpi-project/glpi/commit/efd14468c92c4da43333aa9735e65fd20cbc7c6c	2020-05-14

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Glpi-project Search vendor "Glpi-project"		Glpi Search vendor "Glpi-project" for product "Glpi"				< 9.4.6 Search vendor "Glpi-project" for product "Glpi" and version " < 9.4.6"		-		Affected