Linux Distros Unpatched Vulnerability : CVE-2021-21324

🗓️ 03 Sep 2025 00:00:00Reported by TenableType

GLPI before 9.5.4 has an IDOR that lets authenticated users enumerate items and users via search.

Reporter	Title	Published	Views	Family All 67
ALT Linux	Security fix for the ALT Linux 10 package glpi version 9.5.4-alt1	31 Mar 202100:00	–	altlinux
ALT Linux	Security fix for the ALT Linux 9 package glpi version 9.5.4-alt1	14 Apr 202100:00	–	altlinux
ATTACKERKB	CVE-2021-21324	8 Mar 202100:00	–	attackerkb
CNNVD	GLPI 安全漏洞	8 Mar 202100:00	–	cnnvd
CNVD	Unspecified vulnerability in GLPI (CNVD-2021-17773)	12 Mar 202100:00	–	cnvd
CVE	CVE-2021-21324	8 Mar 202117:00	–	cve
Cvelist	CVE-2021-21324 Insecure Direct Object Reference (IDOR) on "Solutions"	8 Mar 202117:00	–	cvelist
EUVD	EUVD-2021-8670	3 Oct 202520:07	–	euvd
NVD	CVE-2021-21324	8 Mar 202117:15	–	nvd
OSV	UBUNTU-CVE-2021-21324	8 Mar 202117:15	–	osv

Source	Link
ubuntu	www.ubuntu.com/security/CVE-2021-21324
cve	www.cve.mitre.org/cgi-bin/cvename.cgi

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(260779);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2025/09/03");

  script_cve_id("CVE-2021-21324");

  script_name(english:"Linux Distros Unpatched Vulnerability : CVE-2021-21324");

  script_set_attribute(attribute:"synopsis", value:
"The Linux/Unix host has one or more packages installed with a vulnerability that the vendor indicates will not be
patched.");
  script_set_attribute(attribute:"description", value:
"The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied
patch available.

  - GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features,
    licenses tracking and software auditing. In GLPI before version 9.5.4 there is an Insecure Direct Object
    Reference (IDOR) on Solutions. This vulnerability gives an unauthorized user the ability to enumerate
    GLPI items names (including users logins) using the knowbase search form (requires authentication). To
    Reproduce: Perform a valid authentication at your GLPI instance, Browse the ticket list and select any
    open ticket, click on Solution form, then Search a solution form that will redirect you to the endpoint
    /glpi/front/knowbaseitem.php?item_itemtype=Ticket&item_items_id=18&forcetab=Knowbase$1, and the
    item_itemtype=Ticket parameter present in the previous URL will point to the PHP alias of glpi_tickets
    table, so just replace it with Users to point to glpi_users table instead; in the same way,
    item_items_id=18 will point to the related column id, so changing it too you should be able to enumerate
    all the content which has an alias. Since such id(s) are obviously incremental, a malicious party could
    exploit the vulnerability simply by guessing-based attempts. (CVE-2021-21324)

Note that Nessus relies on the presence of the package as reported by the vendor.");
  script_set_attribute(attribute:"see_also", value:"https://ubuntu.com/security/CVE-2021-21324");
  script_set_attribute(attribute:"solution", value:
"There is no known solution at this time.");
  script_set_attribute(attribute:"agent", value:"unix");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:P/I:N/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2021-21324");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"vendor_unpatched", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2021/03/08");
  script_set_attribute(attribute:"plugin_publication_date", value:"2025/09/03");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:16.04:-:lts");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:glpi");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2025 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info2.nasl", "set_linux_os_id.nasl");
  script_require_keys("Host/cpu", "Host/local_checks_enabled", "global_settings/vendor_unpatched", "Host/OS/identifier");
  script_require_ports("Host/OS/Ubuntu Linux-16.04");

  exit(0);
}

if (!get_kb_item("global_settings/vendor_unpatched")) exit(0, "Unpatched Vulnerabilities Detection not active.");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (empty_or_null(get_one_kb_item("Host/Debian/dpkg-l"))) audit(AUDIT_PACKAGE_LIST_MISSING);

include('linux_unpatched.inc');

var distro_constraints_array = {
  "Ubuntu Linux-16.04": {
    "package_manager": "dpkg-l",
    "constraints": [
      {
        "release": "16.04",
        "pkgs": [
          {"reference": "glpi"}
        ]
      }
    ]
  }
};

var distro_constraints_values = linux_unpatched::get_distro_constraints(distro_constraints_arr:distro_constraints_array);
if (empty_or_null(distro_constraints_values)) audit(AUDIT_HOST_NOT, 'affected');
var report = linux_unpatched::check_unpatched_constraints(distro_constraints_values:distro_constraints_values);

if (!empty_or_null(report))
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_WARNING,
      extra      : report
  );
  exit(0);
}
else
{
  audit(AUDIT_HOST_NOT, 'affected');
}

03 Sep 2025 00:00Current

6.8Medium risk

Vulners AI Score6.8

CVSS 24

CVSS 3.16.5 - 6.8

EPSS0.01416