CVE-2020-26212

GLPI stands for Gestionnaire Libre de Parc Informatique and it is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In GLPI before version 9.5.3, any authenticated user has read-only permissions to the planning of every other user, even admin ones. Steps to reproduce the behavior: 1. Create a new planning with 'eduardo.mozart' user (from 'IT' group that belongs to 'Super-admin') into it's personal planning at 'Assistance' > 'Planning'. 2. Copy the CalDAV url and use a CalDAV client (e.g. Thunderbird) to sync the planning with the provided URL. 3. Inform the username and password from any valid user (e.g. 'camila' from 'Proativa' group). 4. 'Camila' has read-only access to 'eduardo.mozart' personal planning. The same behavior happens to any group. E.g. 'Camila' has access to 'IT' group planning, even if she doesn't belong to this group and has a 'Self-service' profile permission). This issue is fixed in version 9.5.3. As a workaround, one can remove the `caldav.php` file to block access to CalDAV server.

CVSS v3 6.5 MEDIUM
CVSS v2.0 4.0 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

4.0^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:S/C:P/I:N/A:N

Exploitability : 8.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
https://github.com/glpi-project/glpi/commit/527280358ec78988ac57e9809d2eb21fcd74caf7	Patch Third Party Advisory
https://github.com/glpi-project/glpi/releases/tag/9.5.3	Release Notes Third Party Advisory
https://github.com/glpi-project/glpi/security/advisories/GHSA-qmw3-87hr-5wgx	Exploit Patch Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:glpi-project:glpi:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2020-11-25 17:15

Updated : 2023-12-10 13:41

NVD link : CVE-2020-26212

Mitre link : CVE-2020-26212

CVE.ORG link : CVE-2020-26212

JSON object : View

Products Affected

glpi-project

glpi

CWE

CWE-862

Missing Authorization

{"id": "CVE-2020-26212", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "authentication": "SINGLE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.8}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 4.0, "exploitabilityScore": 3.1}]}, "published": "2020-11-25T17:15:12.073", "references": [{"url": "https://github.com/glpi-project/glpi/commit/527280358ec78988ac57e9809d2eb21fcd74caf7", "tags": ["Patch", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/glpi-project/glpi/releases/tag/9.5.3", "tags": ["Release Notes", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/glpi-project/glpi/security/advisories/GHSA-qmw3-87hr-5wgx", "tags": ["Exploit", "Patch", "Third Party Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-862"}]}], "descriptions": [{"lang": "en", "value": "GLPI stands for Gestionnaire Libre de Parc Informatique and it is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In GLPI before version 9.5.3, any authenticated user has read-only permissions to the planning of every other user, even admin ones. Steps to reproduce the behavior: 1. Create a new planning with 'eduardo.mozart' user (from 'IT' group that belongs to 'Super-admin') into it's personal planning at 'Assistance' > 'Planning'. 2. Copy the CalDAV url and use a CalDAV client (e.g. Thunderbird) to sync the planning with the provided URL. 3. Inform the username and password from any valid user (e.g. 'camila' from 'Proativa' group). 4. 'Camila' has read-only access to 'eduardo.mozart' personal planning. The same behavior happens to any group. E.g. 'Camila' has access to 'IT' group planning, even if she doesn't belong to this group and has a 'Self-service' profile permission). This issue is fixed in version 9.5.3. As a workaround, one can remove the `caldav.php` file to block access to CalDAV server."}, {"lang": "es", "value": "GLPI son las siglas de Gestionnaire Libre de Parc Informatique y es un paquete de software gratuito de gesti\u00f3n de activos y TI, que proporciona funciones de ITIL Service Desk, seguimiento de licencias y auditor\u00eda de software. En GLPI antes de la versi\u00f3n 9.5.3, cualquier usuario autenticado tiene permisos de solo lectura para la planificaci\u00f3n de todos los dem\u00e1s usuarios, inclusive los administradores. Pasos para reproducir el comportamiento: 1. Cree una nueva planificaci\u00f3n con el usuario \"eduardo.mozart\" (del grupo \"TI\" que pertenece a \"Super-admin'\") en su planificaci\u00f3n personal en \"Assistance\" ) \"Planning\". 2. Copie la URL de CalDAV y utilice un cliente de CalDAV (por ejemplo, Thunderbird) para sincronizar la planificaci\u00f3n con la URL proporcionada. 3. Informar el nombre de usuario y la contrase\u00f1a de cualquier usuario v\u00e1lido (por ejemplo, \"camila\" del grupo \"Proativa\"). 4. \"Camila\" tiene acceso de solo lectura a \"eduardo.mozart\" planificaci\u00f3n personal. El mismo comportamiento le ocurre a cualquier grupo. Por ejemplo, \"Camila\" tiene acceso a la planificaci\u00f3n grupal de \"TI\", inclusive si no pertenece a este grupo y tiene un permiso de perfil de \"Self-service\"). Este problema se solucion\u00f3 en la versi\u00f3n 9.5.3. Como soluci\u00f3n alternativa, se puede eliminar el archivo \"caldav.php\" para bloquear el acceso al servidor CalDAV"}], "lastModified": "2020-12-07T21:29:55.167", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:glpi-project:glpi:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "59250785-B5F7-4268-984A-B87FD4869A15", "versionEndExcluding": "9.5.3"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}