Description
GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. In GLPI before version 9.5.4 it is possible to create tickets for another user with self-service interface without delegatee systems enabled. This is fixed in version 9.5.4.
Affected Software
Related
{"id": "CVE-2021-21326", "vendorId": null, "type": "cve", "bulletinFamily": "NVD", "title": "CVE-2021-21326", "description": "GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. In GLPI before version 9.5.4 it is possible to create tickets for another user with self-service interface without delegatee systems enabled. This is fixed in version 9.5.4.", "published": "2021-03-08T17:15:00", "modified": "2021-03-16T21:01:00", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:N/I:P/A:N"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "availabilityImpact": "NONE", "baseScore": 4.0}, "severity": "MEDIUM", "exploitabilityScore": 8.0, "impactScore": 2.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.8, "impactScore": 3.6}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-21326", "reporter": "security-advisories@github.com", "references": ["https://github.com/glpi-project/glpi/security/advisories/GHSA-vmj9-cg56-p7wh", "https://github.com/glpi-project/glpi/releases/tag/9.5.4"], "cvelist": ["CVE-2021-21326"], "immutableFields": [], "lastseen": "2022-03-23T13:38:58", "viewCount": 17, "enchantments": {"dependencies": {"references": [{"type": "altlinux", "idList": ["D37A66E1CE7616399D52A9C502A9176E"]}, {"type": "attackerkb", "idList": ["AKB:8C7760BA-B916-4F78-A95E-36192475B4DA"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2021-21326"]}]}, "score": {"value": 5.6, "vector": "NONE"}, "backreferences": {"references": [{"type": "attackerkb", "idList": ["AKB:8C7760BA-B916-4F78-A95E-36192475B4DA"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2021-21326"]}]}, "exploitation": null, "affected_software": {"major_version": [{"name": "glpi-project glpi", "version": 9}]}, "vulnersScore": 5.6}, "_state": {"dependencies": 1660004461, "score": 1659896800, "affected_software_major_version": 1671593568}, "_internal": {"score_hash": "9e326aaf090aef9e31a20bbd3cf66330"}, "cna_cvss": {"cna": "GitHub, Inc.", "cvss": {"3": {"vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "score": 7.7}}}, "cpe": [], "cpe23": [], "cwe": ["CWE-862"], "affectedSoftware": [{"cpeName": "glpi-project:glpi", "version": "9.5.4", "operator": "lt", "name": "glpi-project glpi"}], "affectedConfiguration": [], "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"operator": "OR", "children": [], "cpe_match": [{"vulnerable": true, "cpe23Uri": "cpe:2.3:a:glpi-project:glpi:9.5.4:*:*:*:*:*:*:*", "versionEndExcluding": "9.5.4", "cpe_name": []}]}]}, "extraReferences": [{"url": "https://github.com/glpi-project/glpi/security/advisories/GHSA-vmj9-cg56-p7wh", "name": "https://github.com/glpi-project/glpi/security/advisories/GHSA-vmj9-cg56-p7wh", "refsource": "CONFIRM", "tags": ["Third Party Advisory"]}, {"url": "https://github.com/glpi-project/glpi/releases/tag/9.5.4", "name": "https://github.com/glpi-project/glpi/releases/tag/9.5.4", "refsource": "MISC", "tags": ["Release Notes", "Third Party Advisory"]}]}
{"attackerkb": [{"lastseen": "2021-07-20T20:10:29", "description": "GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. In GLPI before version 9.5.4 it is possible to create tickets for another user with self-service interface without delegatee systems enabled. This is fixed in version 9.5.4.\n\n \n**Recent assessments:** \n \n**indevi0us** at March 10, 2021 12:45pm UTC reported:\n\nAssessed Attacker Value: 4 \nAssessed Attacker Value: 4Assessed Attacker Value: 5\n", "edition": 2, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "baseScore": 6.5, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2021-03-08T00:00:00", "type": "attackerkb", "title": "CVE-2021-21326", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21326"], "modified": "2021-03-17T00:00:00", "id": "AKB:8C7760BA-B916-4F78-A95E-36192475B4DA", "href": "https://attackerkb.com/topics/DujTIauHj0/cve-2021-21326", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:N/I:P/A:N"}}], "ubuntucve": [{"lastseen": "2023-01-27T13:35:44", "description": "GLPI is an open-source asset and IT management software package that\nprovides ITIL Service Desk features, licenses tracking and software\nauditing. In GLPI before version 9.5.4 it is possible to create tickets for\nanother user with self-service interface without delegatee systems enabled.\nThis is fixed in version 9.5.4.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-03-08T00:00:00", "type": "ubuntucve", "title": "CVE-2021-21326", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21326"], "modified": "2021-03-08T00:00:00", "id": "UB:CVE-2021-21326", "href": "https://ubuntu.com/security/CVE-2021-21326", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:N/I:P/A:N"}}], "altlinux": [{"lastseen": "2022-06-10T03:04:51", "description": "9.5.4-alt1 built April 14, 2021 Pavel Zilke in task [#269862](<https://git.altlinux.org/tasks/269862/>) \n--- \nMarch 31, 2021 Pavel Zilke \n \n \n - New version 9.5.4\n - This is a security release, upgrading is recommended\n - Security fixes:\n + CVE-2021-21326 : Horizontal Privilege Escalation\n + CVE-2021-21255 : entities switch IDOR\n + CVE-2021-21258 : XSS injection in ajax/kanban\n + CVE-2021-21314 : XSS injection on ticket update\n + CVE-2021-21312 : Stored XSS on documents\n + CVE-2021-21313 : XSS on tabs\n + CVE-2021-21325 : Stored XSS in budget type\n + CVE-2021-21327 : Unsafe Reflection in getItemForItemtype()\n + CVE-2021-21324 : Insecure Direct Object Reference (IDOR) on \"Solutions\"\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-04-14T00:00:00", "type": "altlinux", "title": "Security fix for the ALT Linux 9 package glpi version 9.5.4-alt1", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21255", "CVE-2021-21258", "CVE-2021-21312", "CVE-2021-21313", "CVE-2021-21314", "CVE-2021-21324", "CVE-2021-21325", "CVE-2021-21326", "CVE-2021-21327"], "modified": "2021-04-14T00:00:00", "id": "D37A66E1CE7616399D52A9C502A9176E", "href": "https://packages.altlinux.org/en/p9/srpms/glpi/2650885283753470949", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}]}
CVE-2021-21326
