It was found that GLPI, the Information Resource-Manager with an additional Administration-Interface, did not properly blacklist certain sensitive variables (like GLPI username and password). A remote attacker could use this flaw to obtain access to plaintext form of these values via specially-crafted HTTP POST request. References: [1] http://www.glpi-project.org/spip.php?page=annonce&id_breve=237&lang=en [2] https://forge.indepnet.net/projects/glpi/versions/605 [3] https://forge.indepnet.net/issues/3017 Relevant patches: [4] https://forge.indepnet.net/projects/glpi/repository/revisions/14951 [5] https://forge.indepnet.net/projects/glpi/repository/revisions/14952 [6] https://forge.indepnet.net/projects/glpi/repository/revisions/14954 [7] https://forge.indepnet.net/projects/glpi/repository/revisions/14955 [8] https://forge.indepnet.net/projects/glpi/repository/revisions/14956 [9] https://forge.indepnet.net/projects/glpi/repository/revisions/14957 [10] https://forge.indepnet.net/projects/glpi/repository/revisions/14958 [11] https://forge.indepnet.net/projects/glpi/repository/revisions/14960 [12] https://forge.indepnet.net/projects/glpi/repository/revisions/14966
Created glpi tracking bugs for this issue Affects: fedora-all [bug 726186] Affects: epel-5 [bug 726187] Affects: epel-6 [bug 726188]
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.