CVE-2020-11035: weak CSRF tokens in GLPI
First published: Tue May 05 2020(Updated: )
In GLPI after version 0.83.3 and before version 9.4.6, the CSRF tokens are generated using an insecure algorithm. The implementation uses rand and uniqid and MD5 which does not provide secure values. This is fixed in version 9.4.6.
Credit: security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| GLPI | >=0.83.3<9.4.6 | |
| Red Hat Fedora | =31 | |
| Red Hat Fedora | =32 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/glpi-project/glpi/security/advisories/GHSA-w7q8-58qp-vmpf
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5WQMONZRWLWOXMHMYWR7A5Q5JJERPMVC/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Q4BG2UTINBVV7MTJRXKBQ26GV2UINA6L/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Q4BG2UTINBVV7MTJRXKBQ26GV2UINA6L/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5WQMONZRWLWOXMHMYWR7A5Q5JJERPMVC/
Frequently Asked Questions
What is the severity of CVE-2020-11035?
CVE-2020-11035 has been classified as a medium severity vulnerability due to its potential impact on application security.
How do I fix CVE-2020-11035?
To fix CVE-2020-11035, upgrade GLPI to version 9.4.6 or later, which addresses the insecure CSRF token generation.
Which versions of GLPI are affected by CVE-2020-11035?
GLPI versions after 0.83.3 and before 9.4.6 are affected by CVE-2020-11035.
What type of vulnerability is CVE-2020-11035?
CVE-2020-11035 is a Cross-Site Request Forgery (CSRF) vulnerability caused by insecure token generation.
Is Fedora impacted by CVE-2020-11035?
Yes, Fedora users should be aware of CVE-2020-11035 if they are using affected versions of GLPI.
- agent/type
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/weakness
- agent/author
- agent/references
- agent/title
- agent/severity
- agent/description
- agent/event
- agent/first-publish-date
- agent/source
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/glpi-project
- canonical/glpi
- version/glpi/0.83.3
- vendor/fedoraproject
- canonical/red hat fedora
- version/red hat fedora/31
- version/red hat fedora/32