CVE-2023-34254

Name of the Vulnerable Software and Affected Versions GLPI Agent versions prior to 1.5

Description The issue affects the GLPI Agent, a generic management agent, when running the remoteinventory task against a Unix platform using the ssh command. An administrator user on the remote system can inject a command into a specific workflow that the agent runs with its privileges. If the agent is running with administration privileges, a malicious user could gain high privileges on the computer running the GLPI Agent. Additionally, a malicious user could disclose all remote accesses configured for the remoteinventory task.

Recommendations For versions prior to 1.5, update to version 1.5 to resolve the issue. As a temporary workaround, consider restricting the privileges of the GLPI Agent when running the remoteinventory task to minimize the risk of exploitation. Restrict access to the remoteinventory task to trusted users only.