Skip to content
This repository was archived by the owner on Nov 2, 2024. It is now read-only.
This repository was archived by the owner on Nov 2, 2024. It is now read-only.

Potential RCE Vulnerability Disclosed (CVE-2024-31705) #27

Open
Open
Potential RCE Vulnerability Disclosed (CVE-2024-31705)#27
@cfi-gb

Description

@cfi-gb
cfi-gb
opened on Oct 14, 2024

Important:

  • This is not a vulnerability found / disclosed by me, just forwarding this in case it got missed / not forwarded here
  • In case this is not the correct contact way i would suggest to extend and merge Create SECURITY.md #26 accordingly

Hello,

in case it is not known yet i would like to notify you that a potential remote code execution (RCE) has been disclosed a few months. This got CVE-2024-31705 assigned and the links below contains more background info.

In case something is unclear / invalid i guess @V3locidad could be contacted or a new issue raised at https://github.com/V3locidad/GLPI_POC_Plugins_Shell/issues

References:

CVE ID: CVE-2024-31705

Title : RCE to Shell Commands" Plugin / GLPI Shell Command Management Interface

Affected Product : GLPI - 10.X.X and last version

Description: An issue in Infotel Conseil GLPI v.10.X.X and after allows a remote attacker to execute arbitrary code via
the insufficient validation of user-supplied input.

Affected Component : A remote code execution (RCE) vulnerability has been identified in the 'Shell Commands' plugin of
GLPI. This vulnerability affects all versions of the software, allowing a remote attacker to execute arbitrary code on
the system.

Attack Vectors : A remote code execution (RCE) vulnerability has been identified in the 'Shell Commands' plugin of the
GLPI (Gestionnaire Libre de Parc Informatique) system. This vulnerability is present in all versions of the plugin and
allows remote attackers to execute arbitrary code on the system. The flaw stems from insufficient validation of
user-supplied input within the plugin's functionality to execute shell commands.

Recommendation: Deactivate the Shell Commands plugin or apply strict restrictions to its access, please note that GLPI
has already removed it from its marketplace.

Reference : https://github.com/V3locidad/GLPI_POC_Plugins_Shell

Discoverer: Julien Mula / V3locidad

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions