NVD Vulnerability Detail

CVE-2011-2720

Summary	The autocompletion functionality in GLPI before 0.80.2 does not blacklist certain username and password fields, which allows remote attackers to obtain sensitive information via a crafted POST request.
Publication Date	Aug. 6, 2011, 6:55 a.m.
Registration Date	Jan. 28, 2021, 4:39 p.m.
Last Update	Nov. 21, 2024, 10:28 a.m.

CVSS2.0 : MEDIUM
Score	5.0
Vector	AV:N/AC:L/Au:N/C:P/I:N/A:N
攻撃元区分(AV)	ネットワーク
攻撃条件の複雑さ(AC)	低
攻撃前の認証要否(Au)	不要
機密性への影響(C)	低
完全性への影響(I)	なし
可用性への影響(A)	なし
Get all privileges.	いいえ
Get user privileges	いいえ
Get other privileges	いいえ
User operation required	いいえ

Affected software configurations

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:glpi-project:glpi:0.72.4:::::::*
cpe:2.3:a:glpi-project:glpi:0.72:rc1::::::
cpe:2.3:a:glpi-project:glpi:0.72.1:::::::*
cpe:2.3:a:glpi-project:glpi:0.72.2:::::::*
cpe:2.3:a:glpi-project:glpi:0.70:rc2::::::
cpe:2.3:a:glpi-project:glpi:0.70.1:::::::*
cpe:2.3:a:glpi-project:glpi:0.6:rc3::::::
cpe:2.3:a:glpi-project:glpi:0.71.5:::::::*
cpe:2.3:a:glpi-project:glpi:0.68.2:::::::*
cpe:2.3:a:glpi-project:glpi:0.5:rc1::::::
cpe:2.3:a:glpi-project:glpi:0.71.3:::::::*
cpe:2.3:a:glpi-project:glpi:0.70:::::::*
cpe:2.3:a:glpi-project:glpi:0.72:rc2::::::
cpe:2.3:a:glpi-project:glpi:0.71:::::::*
cpe:2.3:a:glpi-project:glpi:0.71.1:rc2::::::
cpe:2.3:a:glpi-project:glpi:0.72:::::::*
cpe:2.3:a:glpi-project:glpi:0.6:rc2::::::
cpe:2.3:a:glpi-project:glpi:0.70:rc3::::::
cpe:2.3:a:glpi-project:glpi:0.71.1:rc3::::::
cpe:2.3:a:glpi-project:glpi:0.78.2:::::::*
cpe:2.3:a:glpi-project:glpi:0.68:::::::*
cpe:2.3:a:glpi-project:glpi:0.72:rc3::::::
cpe:2.3:a:glpi-project:glpi:0.5:::::::*
cpe:2.3:a:glpi-project:glpi::::::::		0.80.1
cpe:2.3:a:glpi-project:glpi:0.71.2:::::::*
cpe:2.3:a:glpi-project:glpi:0.70:rc1::::::
cpe:2.3:a:glpi-project:glpi:0.71.4:::::::*
cpe:2.3:a:glpi-project:glpi:0.51:::::::*
cpe:2.3:a:glpi-project:glpi:0.65:rc2::::::
cpe:2.3:a:glpi-project:glpi:0.68.3:::::::*
cpe:2.3:a:glpi-project:glpi:0.65:rc1::::::
cpe:2.3:a:glpi-project:glpi:0.78.3:::::::*
cpe:2.3:a:glpi-project:glpi:0.68:rc1::::::
cpe:2.3:a:glpi-project:glpi:0.78.4:::::::*
cpe:2.3:a:glpi-project:glpi:0.51a:::::::*
cpe:2.3:a:glpi-project:glpi:0.78.1:::::::*
cpe:2.3:a:glpi-project:glpi:0.71.1:::::::*
cpe:2.3:a:glpi-project:glpi:0.6:::::::*
cpe:2.3:a:glpi-project:glpi:0.72.3:::::::*
cpe:2.3:a:glpi-project:glpi:0.71.6:::::::*
cpe:2.3:a:glpi-project:glpi:0.6:rc1::::::
cpe:2.3:a:glpi-project:glpi:0.68:rc3::::::
cpe:2.3:a:glpi-project:glpi:0.68.1:::::::*
cpe:2.3:a:glpi-project:glpi:0.71.1:rc1::::::
cpe:2.3:a:glpi-project:glpi:0.68:rc2::::::
cpe:2.3:a:glpi-project:glpi:0.5:rc2::::::
cpe:2.3:a:glpi-project:glpi:0.65:::::::*
cpe:2.3:a:glpi-project:glpi:0.78.5:::::::*
cpe:2.3:a:glpi-project:glpi:0.80:::::::*
cpe:2.3:a:glpi-project:glpi:0.42:::::::*
cpe:2.3:a:glpi-project:glpi:0.70.2:::::::*
cpe:2.3:a:glpi-project:glpi:0.78:::::::*

Related information, measures and tools

No	URL	タグ
1	http://lists.fedoraproject.org/pipermail/package-announce/2011-August/063408.html
2	http://lists.fedoraproject.org/pipermail/package-announce/2011-August/063679.html
3	http://secunia.com/advisories/45366	Vendor Advisory
4	http://secunia.com/advisories/45542
5	http://www.glpi-project.org/spip.php?page=annonce&id_breve=237&lang=en
6	http://www.mandriva.com/security/advisories?name=MDVSA-2012:014
7	http://www.openwall.com/lists/oss-security/2011/07/25/7	Patch
8	http://www.openwall.com/lists/oss-security/2011/07/26/11	Patch
9	http://www.securityfocus.com/bid/48884
10	https://bugzilla.redhat.com/show_bug.cgi?id=726185	Patch
11	https://forge.indepnet.net/issues/3017
12	https://forge.indepnet.net/projects/glpi/repository/revisions/14951	Patch
13	https://forge.indepnet.net/projects/glpi/repository/revisions/14952	Patch
14	https://forge.indepnet.net/projects/glpi/repository/revisions/14954	Patch
15	https://forge.indepnet.net/projects/glpi/repository/revisions/14955	Patch
16	https://forge.indepnet.net/projects/glpi/repository/revisions/14956	Patch
17	https://forge.indepnet.net/projects/glpi/repository/revisions/14957	Patch
18	https://forge.indepnet.net/projects/glpi/repository/revisions/14958	Patch
19	https://forge.indepnet.net/projects/glpi/repository/revisions/14960	Patch
20	https://forge.indepnet.net/projects/glpi/repository/revisions/14966	Patch
21	https://forge.indepnet.net/projects/glpi/versions/605
22	http://lists.fedoraproject.org/pipermail/package-announce/2011-August/063408.html
23	https://forge.indepnet.net/projects/glpi/versions/605
24	https://forge.indepnet.net/projects/glpi/repository/revisions/14966	Patch
25	https://forge.indepnet.net/projects/glpi/repository/revisions/14960	Patch
26	https://forge.indepnet.net/projects/glpi/repository/revisions/14958	Patch
27	https://forge.indepnet.net/projects/glpi/repository/revisions/14957	Patch
28	https://forge.indepnet.net/projects/glpi/repository/revisions/14956	Patch
29	https://forge.indepnet.net/projects/glpi/repository/revisions/14955	Patch
30	https://forge.indepnet.net/projects/glpi/repository/revisions/14954	Patch
31	https://forge.indepnet.net/projects/glpi/repository/revisions/14952	Patch
32	https://forge.indepnet.net/projects/glpi/repository/revisions/14951	Patch
33	https://forge.indepnet.net/issues/3017
34	https://bugzilla.redhat.com/show_bug.cgi?id=726185	Patch
35	http://www.securityfocus.com/bid/48884
36	http://www.openwall.com/lists/oss-security/2011/07/26/11	Patch
37	http://www.openwall.com/lists/oss-security/2011/07/25/7	Patch
38	http://www.mandriva.com/security/advisories?name=MDVSA-2012:014
39	http://www.glpi-project.org/spip.php?page=annonce&id_breve=237&lang=en
40	http://secunia.com/advisories/45542
41	http://secunia.com/advisories/45366	Vendor Advisory
42	http://lists.fedoraproject.org/pipermail/package-announce/2011-August/063679.html

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-200	情報漏えい	https://cwe.mitre.org/data/definitions/200.html

JVN Vulnerability Information

GLPI のオートコンプリート機能における重要な情報を取得される脆弱性

Title	GLPI のオートコンプリート機能における重要な情報を取得される脆弱性
Summary	GLPI のオートコンプリート機能は、特定のユーザ名およびパスワードフィールドをブラックリスト化しないため、重要な情報を取得される脆弱性が存在します。
Possible impacts	第三者により、巧妙に細工された POST リクエストを介して、重要な情報を取得される可能性があります。
Solution	ベンダ情報および参考情報を参照して適切な対策を実施してください。
Publication Date	Aug. 5, 2011, midnight
Registration Date	March 27, 2012, 6:43 p.m.
Last Update	March 27, 2012, 6:43 p.m.

Affected System

GLPI-PROJECT.ORG

GLPI 0.82.2 未満

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2011-2720	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2720
National Vulnerability Database (NVD)
2	CVE-2011-2720	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2720

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-200	https://jvndb.jvn.jp/ja/cwe/CWE-200.html

ベンダー情報

No	Name	URL
GLPI-PROJECT
1	Top Page	http://www.glpi-project.org/

Change Log

No	Changed Details	Date of change
0	[2012年03月27日] 掲載	Feb. 17, 2018, 10:37 a.m.

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:glpi-project:glpi:0.72.4:::::::*
cpe:2.3:a:glpi-project:glpi:0.72:rc1::::::
cpe:2.3:a:glpi-project:glpi:0.72.1:::::::*
cpe:2.3:a:glpi-project:glpi:0.72.2:::::::*
cpe:2.3:a:glpi-project:glpi:0.70:rc2::::::
cpe:2.3:a:glpi-project:glpi:0.70.1:::::::*
cpe:2.3:a:glpi-project:glpi:0.6:rc3::::::
cpe:2.3:a:glpi-project:glpi:0.71.5:::::::*
cpe:2.3:a:glpi-project:glpi:0.68.2:::::::*
cpe:2.3:a:glpi-project:glpi:0.5:rc1::::::
cpe:2.3:a:glpi-project:glpi:0.71.3:::::::*
cpe:2.3:a:glpi-project:glpi:0.70:::::::*
cpe:2.3:a:glpi-project:glpi:0.72:rc2::::::
cpe:2.3:a:glpi-project:glpi:0.71:::::::*
cpe:2.3:a:glpi-project:glpi:0.71.1:rc2::::::
cpe:2.3:a:glpi-project:glpi:0.72:::::::*
cpe:2.3:a:glpi-project:glpi:0.6:rc2::::::
cpe:2.3:a:glpi-project:glpi:0.70:rc3::::::
cpe:2.3:a:glpi-project:glpi:0.71.1:rc3::::::
cpe:2.3:a:glpi-project:glpi:0.78.2:::::::*
cpe:2.3:a:glpi-project:glpi:0.68:::::::*
cpe:2.3:a:glpi-project:glpi:0.72:rc3::::::
cpe:2.3:a:glpi-project:glpi:0.5:::::::*
cpe:2.3:a:glpi-project:glpi::::::::		0.80.1
cpe:2.3:a:glpi-project:glpi:0.71.2:::::::*
cpe:2.3:a:glpi-project:glpi:0.70:rc1::::::
cpe:2.3:a:glpi-project:glpi:0.71.4:::::::*
cpe:2.3:a:glpi-project:glpi:0.51:::::::*
cpe:2.3:a:glpi-project:glpi:0.65:rc2::::::
cpe:2.3:a:glpi-project:glpi:0.68.3:::::::*
cpe:2.3:a:glpi-project:glpi:0.65:rc1::::::
cpe:2.3:a:glpi-project:glpi:0.78.3:::::::*
cpe:2.3:a:glpi-project:glpi:0.68:rc1::::::
cpe:2.3:a:glpi-project:glpi:0.78.4:::::::*
cpe:2.3:a:glpi-project:glpi:0.51a:::::::*
cpe:2.3:a:glpi-project:glpi:0.78.1:::::::*
cpe:2.3:a:glpi-project:glpi:0.71.1:::::::*
cpe:2.3:a:glpi-project:glpi:0.6:::::::*
cpe:2.3:a:glpi-project:glpi:0.72.3:::::::*
cpe:2.3:a:glpi-project:glpi:0.71.6:::::::*
cpe:2.3:a:glpi-project:glpi:0.6:rc1::::::
cpe:2.3:a:glpi-project:glpi:0.68:rc3::::::
cpe:2.3:a:glpi-project:glpi:0.68.1:::::::*
cpe:2.3:a:glpi-project:glpi:0.71.1:rc1::::::
cpe:2.3:a:glpi-project:glpi:0.68:rc2::::::
cpe:2.3:a:glpi-project:glpi:0.5:rc2::::::
cpe:2.3:a:glpi-project:glpi:0.65:::::::*
cpe:2.3:a:glpi-project:glpi:0.78.5:::::::*
cpe:2.3:a:glpi-project:glpi:0.80:::::::*
cpe:2.3:a:glpi-project:glpi:0.42:::::::*
cpe:2.3:a:glpi-project:glpi:0.70.2:::::::*
cpe:2.3:a:glpi-project:glpi:0.78:::::::*