CVE-2020-5248

Name of the Vulnerable Software and Affected Versions GLPI versions prior to 9.4.6

Description The issue involves a default encryption key, GLPIKEY, which is public and used across all instances. This allows unauthorized parties to decrypt sensitive data stored with this key. The key can be changed before installing GLPI, but for existing instances, data must be reencrypted with the new key. However, it's challenging to identify which columns or rows in the database use this key, especially for plugins. Changing the key without updating the data can lead to issues with password sending, but re-storing the data from the UI can resolve this.

Recommendations For versions prior to 9.4.6, update to version 9.4.6 or later to resolve the issue. Additionally, consider reencrypting sensitive data with a new key, and re-store the data from the UI to avoid password sending issues. If possible, change the default encryption key before installing GLPI to prevent this issue.