Add CVE-2020-11035 for GHSA-w7q8-58qp-vmpf

2025-08-04 08:44:25 +00:00 · 2020-05-05 16:25:05 -05:00 · 2020-05-05 16:25:05 -05:00 · 357f87e7ef
commit 357f87e7ef
parent b042485819
1 changed files with 71 additions and 6 deletions
--- a/2020/11xxx/CVE-2020-11035.json
+++ b/2020/11xxx/CVE-2020-11035.json
@ -1,18 +1,83 @@
 {
-    "data_type": "CVE",
-    "data_format": "MITRE",
-    "data_version": "4.0",
    "CVE_data_meta": {
+        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2020-11035",
-        "ASSIGNER": "cve@mitre.org",
-        "STATE": "RESERVED"
+        "STATE": "PUBLIC",
+        "TITLE": "weak CSRF tokens in GLPI"
    },
+    "affects": {
+        "vendor": {
+            "vendor_data": [
+                {
+                    "product": {
+                        "product_data": [
+                            {
+                                "product_name": "GLPI",
+                                "version": {
+                                    "version_data": [
+                                        {
+                                            "version_value": "> 0.83.3, < 9.4.6"
+                                        }
+                                    ]
+                                }
+                            }
+                        ]
+                    },
+                    "vendor_name": "glpi-project"
+                }
+            ]
+        }
+    },
+    "data_format": "MITRE",
+    "data_type": "CVE",
+    "data_version": "4.0",
    "description": {
        "description_data": [
            {
                "lang": "eng",
-                "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
+                "value": "In GLPI after version 0.83.3 and before version 9.4.6, the CSRF tokens are generated using an insecure algorithm. The implementation uses rand and uniqid and MD5 which does not provide secure values.\n\nThis is fixed in version 9.4.6."
            }
        ]
+    },
+    "impact": {
+        "cvss": {
+            "attackComplexity": "HIGH",
+            "attackVector": "NETWORK",
+            "availabilityImpact": "NONE",
+            "baseScore": 7.5,
+            "baseSeverity": "HIGH",
+            "confidentialityImpact": "HIGH",
+            "integrityImpact": "LOW",
+            "privilegesRequired": "NONE",
+            "scope": "CHANGED",
+            "userInteraction": "NONE",
+            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:N",
+            "version": "3.1"
+        }
+    },
+    "problemtype": {
+        "problemtype_data": [
+            {
+                "description": [
+                    {
+                        "lang": "eng",
+                        "value": "CWE-327: Use of a Broken or Risky Cryptographic Algorithm"
+                    }
+                ]
+            }
+        ]
+    },
+    "references": {
+        "reference_data": [
+            {
+                "name": "https://github.com/glpi-project/glpi/security/advisories/GHSA-w7q8-58qp-vmpf",
+                "refsource": "CONFIRM",
+                "url": "https://github.com/glpi-project/glpi/security/advisories/GHSA-w7q8-58qp-vmpf"
+            }
+        ]
+    },
+    "source": {
+        "advisory": "GHSA-w7q8-58qp-vmpf",
+        "discovery": "UNKNOWN"
    }
 }