CVE-2023-34254: OS Command Injection
First published: Fri Jun 23 2023(Updated: )
The GLPI Agent is a generic management agent. Prior to version 1.5, if glpi-agent is running remoteinventory task against an Unix platform with ssh command, an administrator user on the remote can manage to inject a command in a specific workflow the agent would run with the privileges it uses. In the case, the agent is running with administration privileges, a malicious user could gain high privileges on the computer glpi-agent is running on. A malicious user could also disclose all remote accesses the agent is configured with for remoteinventory task. This vulnerability has been patched in glpi-agent 1.5.
Credit: security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Glpi-project Glpi Agent | <1.5 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2023-34254?
CVE-2023-34254 is a vulnerability in the GLPI Agent software prior to version 1.5 that allows an administrator user on a remote Unix platform to inject a command and execute it with the privileges of the agent.
How severe is CVE-2023-34254?
CVE-2023-34254 is considered a high severity vulnerability with a severity value of 7.2.
How can an attacker exploit CVE-2023-34254?
An attacker with administrator privileges on a remote Unix platform can exploit CVE-2023-34254 by injecting a command via SSH and running it with the privileges of the GLPI Agent.
Is there a fix for CVE-2023-34254?
Yes, the fix for CVE-2023-34254 is to upgrade the GLPI Agent software to version 1.5 or later.
Where can I find more information about CVE-2023-34254?
You can find more information about CVE-2023-34254 in the official GitHub repository of the GLPI Agent software.
- collector/nvd-index
- vendor/glpi-project
- canonical/glpi-project glpi agent