A vulnerability was found in Teclib GLPI up to 9.4.1.0 (Asset Management Software). It has been rated as critical. This issue affects an unknown code block of the component Cookie Handler. The manipulation with an unknown input leads to a race condition vulnerability. Using CWE to declare the problem leads to CWE-362. The product contains a code sequence that can run concurrently with other code, and the code sequence requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence that is operating concurrently. Impacted is confidentiality, integrity, and availability. The summary by CVE is:

Teclib GLPI before 9.4.1.1 is affected by a timing attack associated with a cookie.

The bug was discovered 03/11/2019. The weakness was published 03/27/2019. The identification of this vulnerability is CVE-2019-10233 since 03/27/2019. The attack may be initiated remotely. No form of authentication is needed for a successful exploitation. The technical details are unknown and an exploit is not publicly available.

The vulnerability was handled as a non-public zero-day exploit for at least 16 days. During that time the estimated underground price was around $0-$5k.

Upgrading to version 9.4.1.1 eliminates this vulnerability.

Similar entries are available at VDB-132514 and VDB-132513. If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Productinfo

Type

• Asset Management Software

Vendor

• Teclib

Name

• GLPI

Version

• 9.4.0
• 9.4.1.0

License

• open-source

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion