CVE: CVE-2020-5248

Export to Word

GLPI before before version 9.4.6 has a vulnerability involving a default encryption key. GLPIKEY is public and is used on every instance. This means anyone can decrypt sensitive data stored using this key. It is possible to change the key before installing GLPI. But on existing instances, data must be reencrypted with the new key. Problem is we can not know which columns or rows in the database are using that; espcially from plugins. Changing the key without updating data would lend in bad password sent from glpi; but storing them again from the UI will work.

Threat-Mapped Scoring

Score: 3.0

Priority: P2 - Serious (High)

S1 – Steal Customer Account Information

EPSS

Score: 0.02836
Percentile: 0.85617

CVSS Scoring

CVSS v3.1 Score: 7.2

Severity: HIGH

Mapped CWE(s)

CWE-798 : Use of Hard-coded Credentials

All CAPEC(s)

CAPEC-191: Read Sensitive Constants Within an Executable
CAPEC-70: Try Common or Default Usernames and Passwords

CAPEC(s) with Mapped TTPs

CAPEC-191: Read Sensitive Constants Within an Executable
Mapped TTPs:
- T1552.001 : Credentials In Files
CAPEC-70: Try Common or Default Usernames and Passwords
Mapped TTPs:
- T1078.001 : Default Accounts

Mapped ATT&CK TTPs

T1552.001 : Credentials In Files
Kill Chain: credential-access
T1078.001 : Default Accounts
Kill Chain: defense-evasion

Malware

APTs Threat Group Associations

Campaigns

Leviathan Australian Intrusions
HomeLand Justice

Affected Products

cpe:2.3:a:glpi-project:glpi:*:*:*:*:*:*:*:*

← Back to Home