Bug 1838307 (CVE-2020-11060)

Summary: CVE-2020-11060 glpi: remote code execution via the backup functionality
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: extras-orphan
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-28 05:26:20 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1838308    
Bug Blocks:    

Description Guilherme de Almeida Suckevicz 2020-05-20 20:26:27 UTC 
In GLPI before 9.4.6, an attacker can execute system commands by abusing the backup functionality. Theoretically, this vulnerability can be exploited by an attacker without a valid account by using a CSRF. Due to the difficulty of the exploitation, the attack is only conceivable by an account having Maintenance privileges and the right to add WIFI networks. This is fixed in version 9.4.6.

Reference:
https://github.com/glpi-project/glpi/security/advisories/GHSA-cvvq-3fww-5v6f

Upstream commit:
https://github.com/glpi-project/glpi/commit/ad748d59c94da177a3ed25111c453902396f320c
Comment 1 Guilherme de Almeida Suckevicz 2020-05-20 20:27:48 UTC 
Created glpi tracking bugs for this issue:

Affects: epel-7 [bug 1838308]