cnvd - cnvd-2021-17773

cnvd-2021-17773

Vulnerability from cnvd

Title: GLPI存在未明漏洞（CNVD-2021-17773）

Description:

GLPI是个人开发者的一款开源IT和资产管理软件。该软件提供功能全面的IT资源管理接口，你可以用它来建立数据库全面管理IT的电脑，显示器，服务器，打印机，网络设备，电话，甚至硒鼓和墨盒等。

GLPI存在安全漏洞，未经授权的攻击者可利用该漏洞使用knowbase搜索表单枚举GLPI项目名称。

Severity: 中

Patch Name: GLPI存在未明漏洞（CNVD-2021-17773）的补丁

Patch Description:

GLPI存在安全漏洞，未经授权的攻击者可利用该漏洞使用knowbase搜索表单枚举GLPI项目名称。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description:

厂商已提供漏洞修补方案，请关注厂商主页及时更新： https://github.com/glpi-project/glpi/releases/tag/9.5.4

Reference: https://github.com/glpi-project/glpi/commit/aade65b7f67d46f23d276a8acb0df70651c3b1dc

Impacted products

Name
GLPI GLPI <9.5.4

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2021-21324",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2021-21324"
    }
  },
  "description": "GLPI\u662f\u4e2a\u4eba\u5f00\u53d1\u8005\u7684\u4e00\u6b3e\u5f00\u6e90IT\u548c\u8d44\u4ea7\u7ba1\u7406\u8f6f\u4ef6\u3002\u8be5\u8f6f\u4ef6\u63d0\u4f9b\u529f\u80fd\u5168\u9762\u7684IT\u8d44\u6e90\u7ba1\u7406\u63a5\u53e3\uff0c\u4f60\u53ef\u4ee5\u7528\u5b83\u6765\u5efa\u7acb\u6570\u636e\u5e93\u5168\u9762\u7ba1\u7406IT\u7684\u7535\u8111\uff0c\u663e\u793a\u5668\uff0c\u670d\u52a1\u5668\uff0c\u6253\u5370\u673a\uff0c\u7f51\u7edc\u8bbe\u5907\uff0c\u7535\u8bdd\uff0c\u751a\u81f3\u7852\u9f13\u548c\u58a8\u76d2\u7b49\u3002\n\nGLPI\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u672a\u7ecf\u6388\u6743\u7684\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u4f7f\u7528knowbase\u641c\u7d22\u8868\u5355\u679a\u4e3eGLPI\u9879\u76ee\u540d\u79f0\u3002",
  "formalWay": "\u5382\u5546\u5df2\u63d0\u4f9b\u6f0f\u6d1e\u4fee\u8865\u65b9\u6848\uff0c\u8bf7\u5173\u6ce8\u5382\u5546\u4e3b\u9875\u53ca\u65f6\u66f4\u65b0\uff1a\r\nhttps://github.com/glpi-project/glpi/releases/tag/9.5.4",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2021-17773",
  "openTime": "2021-03-16",
  "patchDescription": "GLPI\u662f\u4e2a\u4eba\u5f00\u53d1\u8005\u7684\u4e00\u6b3e\u5f00\u6e90IT\u548c\u8d44\u4ea7\u7ba1\u7406\u8f6f\u4ef6\u3002\u8be5\u8f6f\u4ef6\u63d0\u4f9b\u529f\u80fd\u5168\u9762\u7684IT\u8d44\u6e90\u7ba1\u7406\u63a5\u53e3\uff0c\u4f60\u53ef\u4ee5\u7528\u5b83\u6765\u5efa\u7acb\u6570\u636e\u5e93\u5168\u9762\u7ba1\u7406IT\u7684\u7535\u8111\uff0c\u663e\u793a\u5668\uff0c\u670d\u52a1\u5668\uff0c\u6253\u5370\u673a\uff0c\u7f51\u7edc\u8bbe\u5907\uff0c\u7535\u8bdd\uff0c\u751a\u81f3\u7852\u9f13\u548c\u58a8\u76d2\u7b49\u3002\r\n\r\nGLPI\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u672a\u7ecf\u6388\u6743\u7684\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u4f7f\u7528knowbase\u641c\u7d22\u8868\u5355\u679a\u4e3eGLPI\u9879\u76ee\u540d\u79f0\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "GLPI\u5b58\u5728\u672a\u660e\u6f0f\u6d1e\uff08CNVD-2021-17773\uff09\u7684\u8865\u4e01",
  "products": {
    "product": "GLPI GLPI \u003c9.5.4"
  },
  "referenceLink": "https://github.com/glpi-project/glpi/commit/aade65b7f67d46f23d276a8acb0df70651c3b1dc",
  "serverity": "\u4e2d",
  "submitTime": "2021-03-12",
  "title": "GLPI\u5b58\u5728\u672a\u660e\u6f0f\u6d1e\uff08CNVD-2021-17773\uff09"
}

CVE-2021-21324 (GCVE-0-2021-21324)

Vulnerability from cvelistv5

Published

2021-03-08 17:00

Modified

2024-08-03 18:09

Severity ?

6.8 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N

CWE

CWE-639 - Authorization Bypass Through User-Controlled Key

Summary

GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. In GLPI before version 9.5.4 there is an Insecure Direct Object Reference (IDOR) on "Solutions". This vulnerability gives an unauthorized user the ability to enumerate GLPI items names (including users logins) using the knowbase search form (requires authentication). To Reproduce: Perform a valid authentication at your GLPI instance, Browse the ticket list and select any open ticket, click on Solution form, then Search a solution form that will redirect you to the endpoint /"glpi/front/knowbaseitem.php?item_itemtype=Ticket&item_items_id=18&forcetab=Knowbase$1", and the item_itemtype=Ticket parameter present in the previous URL will point to the PHP alias of glpi_tickets table, so just replace it with "Users" to point to glpi_users table instead; in the same way, item_items_id=18 will point to the related column id, so changing it too you should be able to enumerate all the content which has an alias. Since such id(s) are obviously incremental, a malicious party could exploit the vulnerability simply by guessing-based attempts.

References

▼	URL	Tags
	https://github.com/glpi-project/glpi/commit/aade65b7f67d46f23d276a8acb0df70651c3b1dc	x_refsource_MISC
	https://github.com/glpi-project/glpi/releases/tag/9.5.4	x_refsource_MISC
	https://github.com/glpi-project/glpi/security/advisories/GHSA-jvwm-gq36-3v7v	x_refsource_CONFIRM

Impacted products

	Vendor	Product	Version
	glpi-project	glpi	Version: < 9.5.4

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T18:09:15.447Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/glpi-project/glpi/commit/aade65b7f67d46f23d276a8acb0df70651c3b1dc"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/glpi-project/glpi/releases/tag/9.5.4"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/glpi-project/glpi/security/advisories/GHSA-jvwm-gq36-3v7v"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "glpi",
          "vendor": "glpi-project",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 9.5.4"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. In GLPI before version 9.5.4 there is an Insecure Direct Object Reference (IDOR) on \"Solutions\". This vulnerability gives an unauthorized user the ability to enumerate GLPI items names (including users logins) using the knowbase search form (requires authentication). To Reproduce: Perform a valid authentication at your GLPI instance, Browse the ticket list and select any open ticket, click on Solution form, then Search a solution form that will redirect you to the endpoint /\"glpi/front/knowbaseitem.php?item_itemtype=Ticket\u0026item_items_id=18\u0026forcetab=Knowbase$1\", and the item_itemtype=Ticket parameter present in the previous URL will point to the PHP alias of glpi_tickets table, so just replace it with \"Users\" to point to glpi_users table instead; in the same way, item_items_id=18 will point to the related column id, so changing it too you should be able to enumerate all the content which has an alias. Since such id(s) are obviously incremental, a malicious party could exploit the vulnerability simply by guessing-based attempts."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.8,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "CWE-639 Authorization Bypass Through User-Controlled Key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-03-09T16:23:01",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/glpi-project/glpi/commit/aade65b7f67d46f23d276a8acb0df70651c3b1dc"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/glpi-project/glpi/releases/tag/9.5.4"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/glpi-project/glpi/security/advisories/GHSA-jvwm-gq36-3v7v"
        }
      ],
      "source": {
        "advisory": "GHSA-jvwm-gq36-3v7v",
        "discovery": "UNKNOWN"
      },
      "title": "Insecure Direct Object Reference (IDOR) on \"Solutions\"",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2021-21324",
          "STATE": "PUBLIC",
          "TITLE": "Insecure Direct Object Reference (IDOR) on \"Solutions\""
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "glpi",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "\u003c 9.5.4"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "glpi-project"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. In GLPI before version 9.5.4 there is an Insecure Direct Object Reference (IDOR) on \"Solutions\". This vulnerability gives an unauthorized user the ability to enumerate GLPI items names (including users logins) using the knowbase search form (requires authentication). To Reproduce: Perform a valid authentication at your GLPI instance, Browse the ticket list and select any open ticket, click on Solution form, then Search a solution form that will redirect you to the endpoint /\"glpi/front/knowbaseitem.php?item_itemtype=Ticket\u0026item_items_id=18\u0026forcetab=Knowbase$1\", and the item_itemtype=Ticket parameter present in the previous URL will point to the PHP alias of glpi_tickets table, so just replace it with \"Users\" to point to glpi_users table instead; in the same way, item_items_id=18 will point to the related column id, so changing it too you should be able to enumerate all the content which has an alias. Since such id(s) are obviously incremental, a malicious party could exploit the vulnerability simply by guessing-based attempts."
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.8,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-639 Authorization Bypass Through User-Controlled Key"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/glpi-project/glpi/commit/aade65b7f67d46f23d276a8acb0df70651c3b1dc",
              "refsource": "MISC",
              "url": "https://github.com/glpi-project/glpi/commit/aade65b7f67d46f23d276a8acb0df70651c3b1dc"
            },
            {
              "name": "https://github.com/glpi-project/glpi/releases/tag/9.5.4",
              "refsource": "MISC",
              "url": "https://github.com/glpi-project/glpi/releases/tag/9.5.4"
            },
            {
              "name": "https://github.com/glpi-project/glpi/security/advisories/GHSA-jvwm-gq36-3v7v",
              "refsource": "CONFIRM",
              "url": "https://github.com/glpi-project/glpi/security/advisories/GHSA-jvwm-gq36-3v7v"
            }
          ]
        },
        "source": {
          "advisory": "GHSA-jvwm-gq36-3v7v",
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2021-21324",
    "datePublished": "2021-03-08T17:00:33",
    "dateReserved": "2020-12-22T00:00:00",
    "dateUpdated": "2024-08-03T18:09:15.447Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted