cnvd - cnvd-2021-17776

cnvd-2021-17776

Vulnerability from cnvd

Title: GLPI存在未明漏洞（CNVD-2021-17776）

Description:

GLPI是个人开发者的一款开源IT和资产管理软件。该软件提供功能全面的IT资源管理接口，你可以用它来建立数据库全面管理IT的电脑，显示器，服务器，打印机，网络设备，电话，甚至硒鼓和墨盒等。

GLPI 9.5.3 存在安全漏洞，该漏洞源于可用IDOR从登录用户切换实体。目前没有详细的漏洞细节提供。

Severity: 低

Patch Name: GLPI存在未明漏洞（CNVD-2021-17776）的补丁

Patch Description:

GLPI 9.5.3 存在安全漏洞，该漏洞源于可用IDOR从登录用户切换实体。目前没有详细的漏洞细节提供。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description:

厂商已提供漏洞修补方案，请关注厂商主页及时更新： https://github.com/glpi-project/glpi/security/advisories/GHSA-v3m5-r3mx-ff9j

Reference: https://github.com/glpi-project/glpi/commit/aade65b7f67d46f23d276a8acb0df70651c3b1dc

Impacted products

Name
GLPI GLPI 9.5.3

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2021-21255",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2021-21255"
    }
  },
  "description": "GLPI\u662f\u4e2a\u4eba\u5f00\u53d1\u8005\u7684\u4e00\u6b3e\u5f00\u6e90IT\u548c\u8d44\u4ea7\u7ba1\u7406\u8f6f\u4ef6\u3002\u8be5\u8f6f\u4ef6\u63d0\u4f9b\u529f\u80fd\u5168\u9762\u7684IT\u8d44\u6e90\u7ba1\u7406\u63a5\u53e3\uff0c\u4f60\u53ef\u4ee5\u7528\u5b83\u6765\u5efa\u7acb\u6570\u636e\u5e93\u5168\u9762\u7ba1\u7406IT\u7684\u7535\u8111\uff0c\u663e\u793a\u5668\uff0c\u670d\u52a1\u5668\uff0c\u6253\u5370\u673a\uff0c\u7f51\u7edc\u8bbe\u5907\uff0c\u7535\u8bdd\uff0c\u751a\u81f3\u7852\u9f13\u548c\u58a8\u76d2\u7b49\u3002\n\nGLPI 9.5.3 \u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u53ef\u7528IDOR\u4ece\u767b\u5f55\u7528\u6237\u5207\u6362\u5b9e\u4f53\u3002\u76ee\u524d\u6ca1\u6709\u8be6\u7ec6\u7684\u6f0f\u6d1e\u7ec6\u8282\u63d0\u4f9b\u3002",
  "formalWay": "\u5382\u5546\u5df2\u63d0\u4f9b\u6f0f\u6d1e\u4fee\u8865\u65b9\u6848\uff0c\u8bf7\u5173\u6ce8\u5382\u5546\u4e3b\u9875\u53ca\u65f6\u66f4\u65b0\uff1a\r\nhttps://github.com/glpi-project/glpi/security/advisories/GHSA-v3m5-r3mx-ff9j",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2021-17776",
  "openTime": "2021-03-16",
  "patchDescription": "GLPI\u662f\u4e2a\u4eba\u5f00\u53d1\u8005\u7684\u4e00\u6b3e\u5f00\u6e90IT\u548c\u8d44\u4ea7\u7ba1\u7406\u8f6f\u4ef6\u3002\u8be5\u8f6f\u4ef6\u63d0\u4f9b\u529f\u80fd\u5168\u9762\u7684IT\u8d44\u6e90\u7ba1\u7406\u63a5\u53e3\uff0c\u4f60\u53ef\u4ee5\u7528\u5b83\u6765\u5efa\u7acb\u6570\u636e\u5e93\u5168\u9762\u7ba1\u7406IT\u7684\u7535\u8111\uff0c\u663e\u793a\u5668\uff0c\u670d\u52a1\u5668\uff0c\u6253\u5370\u673a\uff0c\u7f51\u7edc\u8bbe\u5907\uff0c\u7535\u8bdd\uff0c\u751a\u81f3\u7852\u9f13\u548c\u58a8\u76d2\u7b49\u3002\r\n\r\nGLPI 9.5.3 \u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u53ef\u7528IDOR\u4ece\u767b\u5f55\u7528\u6237\u5207\u6362\u5b9e\u4f53\u3002\u76ee\u524d\u6ca1\u6709\u8be6\u7ec6\u7684\u6f0f\u6d1e\u7ec6\u8282\u63d0\u4f9b\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "GLPI\u5b58\u5728\u672a\u660e\u6f0f\u6d1e\uff08CNVD-2021-17776\uff09\u7684\u8865\u4e01",
  "products": {
    "product": "GLPI GLPI 9.5.3"
  },
  "referenceLink": "https://github.com/glpi-project/glpi/commit/aade65b7f67d46f23d276a8acb0df70651c3b1dc",
  "serverity": "\u4f4e",
  "submitTime": "2021-03-10",
  "title": "GLPI\u5b58\u5728\u672a\u660e\u6f0f\u6d1e\uff08CNVD-2021-17776\uff09"
}

CVE-2021-21255 (GCVE-0-2021-21255)

Vulnerability from cvelistv5

Published

2021-03-02 19:40

Modified

2024-08-03 18:09

Severity ?

5.8 (Medium) - CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:N/A:N

CWE

CWE-862 - Missing Authorization

Summary

GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. In GLPI version 9.5.3, it was possible to switch entities with IDOR from a logged in user. This is fixed in version 9.5.4.

References

▼	URL	Tags
	https://github.com/glpi-project/glpi/security/advisories/GHSA-v3m5-r3mx-ff9j	x_refsource_CONFIRM
	https://github.com/glpi-project/glpi/commit/aade65b7f67d46f23d276a8acb0df70651c3b1dc	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	glpi-project	glpi	Version: = 9.5.3

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T18:09:14.994Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/glpi-project/glpi/security/advisories/GHSA-v3m5-r3mx-ff9j"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/glpi-project/glpi/commit/aade65b7f67d46f23d276a8acb0df70651c3b1dc"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "glpi",
          "vendor": "glpi-project",
          "versions": [
            {
              "status": "affected",
              "version": "= 9.5.3"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. In GLPI version 9.5.3, it was possible to switch entities with IDOR from a logged in user. This is fixed in version 9.5.4."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.8,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-862",
              "description": "CWE-862 Missing Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-03-02T19:40:20",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/glpi-project/glpi/security/advisories/GHSA-v3m5-r3mx-ff9j"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/glpi-project/glpi/commit/aade65b7f67d46f23d276a8acb0df70651c3b1dc"
        }
      ],
      "source": {
        "advisory": "GHSA-v3m5-r3mx-ff9j",
        "discovery": "UNKNOWN"
      },
      "title": "entities switch IDOR",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2021-21255",
          "STATE": "PUBLIC",
          "TITLE": "entities switch IDOR"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "glpi",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "= 9.5.3"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "glpi-project"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. In GLPI version 9.5.3, it was possible to switch entities with IDOR from a logged in user. This is fixed in version 9.5.4."
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.8,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:N/A:N",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-862 Missing Authorization"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/glpi-project/glpi/security/advisories/GHSA-v3m5-r3mx-ff9j",
              "refsource": "CONFIRM",
              "url": "https://github.com/glpi-project/glpi/security/advisories/GHSA-v3m5-r3mx-ff9j"
            },
            {
              "name": "https://github.com/glpi-project/glpi/commit/aade65b7f67d46f23d276a8acb0df70651c3b1dc",
              "refsource": "MISC",
              "url": "https://github.com/glpi-project/glpi/commit/aade65b7f67d46f23d276a8acb0df70651c3b1dc"
            }
          ]
        },
        "source": {
          "advisory": "GHSA-v3m5-r3mx-ff9j",
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2021-21255",
    "datePublished": "2021-03-02T19:40:20",
    "dateReserved": "2020-12-22T00:00:00",
    "dateUpdated": "2024-08-03T18:09:14.994Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted