6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
4 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:S/C:P/I:N/A:N
0.002 Low
EPSS
Percentile
53.0%
GLPI is an open-source asset and IT management software package that
provides ITIL Service Desk features, licenses tracking and software
auditing. In GLPI before version 9.5.4 there is an Insecure Direct Object
Reference (IDOR) on “Solutions”. This vulnerability gives an unauthorized
user the ability to enumerate GLPI items names (including users logins)
using the knowbase search form (requires authentication). To Reproduce:
Perform a valid authentication at your GLPI instance, Browse the ticket
list and select any open ticket, click on Solution form, then Search a
solution form that will redirect you to the endpoint
/“glpi/front/knowbaseitem.php?item_itemtype=Ticket&item_items_id=18&forcetab=Knowbase$1”,
and the item_itemtype=Ticket parameter present in the previous URL will
point to the PHP alias of glpi_tickets table, so just replace it with
“Users” to point to glpi_users table instead; in the same way,
item_items_id=18 will point to the related column id, so changing it too
you should be able to enumerate all the content which has an alias. Since
such id(s) are obviously incremental, a malicious party could exploit the
vulnerability simply by guessing-based attempts.
github.com/glpi-project/glpi/commit/aade65b7f67d46f23d276a8acb0df70651c3b1dc
github.com/glpi-project/glpi/releases/tag/9.5.4
github.com/glpi-project/glpi/security/advisories/GHSA-jvwm-gq36-3v7v
launchpad.net/bugs/cve/CVE-2021-21324
nvd.nist.gov/vuln/detail/CVE-2021-21324
security-tracker.debian.org/tracker/CVE-2021-21324
www.cve.org/CVERecord?id=CVE-2021-21324
6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
4 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:S/C:P/I:N/A:N
0.002 Low
EPSS
Percentile
53.0%