{"id":"UBUNTU-CVE-2023-34254","details":"The GLPI Agent is a generic management agent. Prior to version 1.5, if glpi-agent is running remoteinventory task against an Unix platform with ssh command, an administrator user on the remote can manage to inject a command in a specific workflow the agent would run with the privileges it uses. In the case, the agent is running with administration privileges, a malicious user could gain high privileges on the computer glpi-agent is running on. A malicious user could also disclose all remote accesses the agent is configured with for remoteinventory task. This vulnerability has been patched in glpi-agent 1.5.","modified":"2025-10-24T05:02:04Z","published":"2023-06-23T21:15:00Z","upstream":["CVE-2023-34254"],"references":[{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2023-34254"},{"type":"REPORT","url":"https://github.com/glpi-project/glpi-agent/security/advisories/GHSA-39vc-hxgm-j465"},{"type":"REPORT","url":"https://github.com/glpi-project/glpi-agent/blob/dd313ee0914becf74c0e48cb512765210043b478/Changes#L98"},{"type":"REPORT","url":"https://www.cve.org/CVERecord?id=CVE-2023-34254"}],"affected":[{"package":{"name":"glpi","ecosystem":"Ubuntu:16.04:LTS","purl":"pkg:deb/ubuntu/glpi@0.84.8+dfsg.1-1ubuntu1?arch=source&distro=xenial"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["0.84.8+dfsg.1-1","0.84.8+dfsg.1-1ubuntu1"],"ecosystem_specific":{"binaries":[{"binary_name":"glpi","binary_version":"0.84.8+dfsg.1-1ubuntu1"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2023/UBUNTU-CVE-2023-34254.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"type":"Ubuntu","score":"medium"}]}