Multiple vulnerabilities in GLPI



Published: 2021-09-17
Risk Medium
Patch available YES
Number of vulnerabilities 4
CVE-ID CVE-2021-39211
CVE-2021-39210
CVE-2021-39209
CVE-2021-39213
CWE-ID CWE-200
CWE-1004
CWE-352
CWE-74
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe
GLPI
Web applications / CRM systems

Vendor glpi-project

Security Bulletin

This security bulletin contains information about 4 vulnerabilities.

1) Information disclosure

EUVDB-ID: #VU56686

Risk: Medium

CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-39211

CWE-ID: CWE-200 - Information Exposure

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to excessive data output by the application in telemetry endpoint. A remote attacker can gain unauthorized access to sensitive information on the system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

GLPI: 9.2, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.3, 9.3.0, 9.3.1, 9.3.2, 9.3.3, 9.3.4, 9.4.0, 9.4.1, 9.4.1.1, 9.4.2, 9.4.3, 9.4.4, 9.4.5, 9.4.6, 9.5.0, 9.5.1, 9.5.2, 9.5.3, 9.5.4, 9.5.5

CPE2.3 External links

http://github.com/glpi-project/glpi/security/advisories/GHSA-xx66-v3g5-w825
http://github.com/glpi-project/glpi/releases/tag/9.5.6

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Sensitive Cookie Without 'HttpOnly' Flag

EUVDB-ID: #VU56687

Risk: Medium

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-39210

CWE-ID: CWE-1004 - Sensitive Cookie Without 'HttpOnly' Flag

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to the cookie used to store the autologin cookie (when a user uses the "remember me" feature) is accessible by scripts. A remote authenticated attacker can gain unauthorized access to sensitive information on the system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

GLPI: 0.20, 0.20.1, 0.21, 0.30, 0.31, 0.40, 0.41, 0.42, 0.50, 0.51, 0.51a, 0.60, 0.65, 0.68, 0.68.1, 0.68.2, 0.68.3, 0.70, 0.70.1, 0.70.2, 0.71, 0.71.1, 0.71.2, 0.71.3, 0.71.4, 0.71.5, 0.71.6, 0.72, 0.72.1, 0.72.2, 0.72.3, 0.72.4, 0.72.21, 0.78, 0.78.1, 0.78.2, 0.78.3, 0.78.4, 0.78.5, 0.80, 0.80.1, 0.80.2, 0.80.3, 0.80.4, 0.80.5, 0.80.6, 0.80.7, 0.80.61, 0.83, 0.83.1, 0.83.2, 0.83.3, 0.83.4, 0.83.5, 0.83.6, 0.83.7, 0.83.8, 0.83.9, 0.83.31, 0.83.91, 0.84, 0.84.1, 0.84.2, 0.84.3, 0.84.4, 0.84.5, 0.84.6, 0.84.7, 0.84.8, 0.85, 0.85.1, 0.85.2, 0.85.3, 0.85.4, 0.85.5, 0.90, 0.90.1, 0.90.2, 0.90.3, 0.90.4, 0.90.5, 9.1, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.1.7.1, 9.2, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.3, 9.3.0, 9.3.1, 9.3.2, 9.3.3, 9.3.4, 9.4.0, 9.4.1, 9.4.1.1, 9.4.2, 9.4.3, 9.4.4, 9.4.5, 9.4.6, 9.5.0, 9.5.1, 9.5.2, 9.5.3, 9.5.4, 9.5.5

CPE2.3 External links

http://github.com/glpi-project/glpi/security/advisories/GHSA-hwxq-4c5f-m4v2
http://huntr.dev/bounties/b2e99a41-b904-419f-a274-ae383e4925f2/
http://github.com/glpi-project/glpi/releases/tag/9.5.6

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Cross-site request forgery

EUVDB-ID: #VU56688

Risk: Low

CVSSv3.1: 5.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-39209

CWE-ID: CWE-352 - Cross-Site Request Forgery (CSRF)

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform cross-site request forgery attacks.

The vulnerability exists due to insufficient validation of the HTTP request origin. A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website.

Mitigation

Install update from vendor's website.

Vulnerable software versions

GLPI: 0.20, 0.20.1, 0.21, 0.30, 0.31, 0.40, 0.41, 0.42, 0.50, 0.51, 0.51a, 0.60, 0.65, 0.68, 0.68.1, 0.68.2, 0.68.3, 0.70, 0.70.1, 0.70.2, 0.71, 0.71.1, 0.71.2, 0.71.3, 0.71.4, 0.71.5, 0.71.6, 0.72, 0.72.1, 0.72.2, 0.72.3, 0.72.4, 0.72.21, 0.78, 0.78.1, 0.78.2, 0.78.3, 0.78.4, 0.78.5, 0.80, 0.80.1, 0.80.2, 0.80.3, 0.80.4, 0.80.5, 0.80.6, 0.80.7, 0.80.61, 0.83, 0.83.1, 0.83.2, 0.83.3, 0.83.4, 0.83.5, 0.83.6, 0.83.7, 0.83.8, 0.83.9, 0.83.31, 0.83.91, 0.84, 0.84.1, 0.84.2, 0.84.3, 0.84.4, 0.84.5, 0.84.6, 0.84.7, 0.84.8, 0.85, 0.85.1, 0.85.2, 0.85.3, 0.85.4, 0.85.5, 0.90, 0.90.1, 0.90.2, 0.90.3, 0.90.4, 0.90.5, 9.1, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.1.7.1, 9.2, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.3, 9.3.0, 9.3.1, 9.3.2, 9.3.3, 9.3.4, 9.4.0, 9.4.1, 9.4.1.1, 9.4.2, 9.4.3, 9.4.4, 9.4.5, 9.4.6, 9.5.0, 9.5.1, 9.5.2, 9.5.3, 9.5.4, 9.5.5

CPE2.3 External links

http://github.com/glpi-project/glpi/security/advisories/GHSA-5qpf-32w7-c56p
http://github.com/glpi-project/glpi/releases/tag/9.5.6

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Improper Neutralization of Special Elements in Output Used by a Downstream Component

EUVDB-ID: #VU56689

Risk: Medium

CVSSv3.1: 5.9 [CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-39213

CWE-ID: CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to improper inout validation. A remote authenticated attacker can bypass API with custom header injection.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

GLPI: 9.1, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.1.7.1, 9.2, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.3, 9.3.0, 9.3.1, 9.3.2, 9.3.3, 9.3.4, 9.4.0, 9.4.1, 9.4.1.1, 9.4.2, 9.4.3, 9.4.4, 9.4.5, 9.4.6, 9.5.0, 9.5.1, 9.5.2, 9.5.3, 9.5.4, 9.5.5

CPE2.3 External links

http://github.com/glpi-project/glpi/security/advisories/GHSA-6w9f-2m6g-5777
http://github.com/glpi-project/glpi/releases/tag/9.5.6

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###