CVE-2021-21324

{"id": "CVE-2021-21324", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "authentication": "SINGLE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.8}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 4.0, "exploitabilityScore": 2.3}]}, "published": "2021-03-08T17:15:12.757", "references": [{"url": "https://github.com/glpi-project/glpi/commit/aade65b7f67d46f23d276a8acb0df70651c3b1dc", "tags": ["Patch", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/glpi-project/glpi/releases/tag/9.5.4", "tags": ["Release Notes", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/glpi-project/glpi/security/advisories/GHSA-jvwm-gq36-3v7v", "tags": ["Exploit", "Third Party Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-639"}]}], "descriptions": [{"lang": "en", "value": "GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. In GLPI before version 9.5.4 there is an Insecure Direct Object Reference (IDOR) on \"Solutions\". This vulnerability gives an unauthorized user the ability to enumerate GLPI items names (including users logins) using the knowbase search form (requires authentication). To Reproduce: Perform a valid authentication at your GLPI instance, Browse the ticket list and select any open ticket, click on Solution form, then Search a solution form that will redirect you to the endpoint /\"glpi/front/knowbaseitem.php?item_itemtype=Ticket&item_items_id=18&forcetab=Knowbase$1\", and the item_itemtype=Ticket parameter present in the previous URL will point to the PHP alias of glpi_tickets table, so just replace it with \"Users\" to point to glpi_users table instead; in the same way, item_items_id=18 will point to the related column id, so changing it too you should be able to enumerate all the content which has an alias. Since such id(s) are obviously incremental, a malicious party could exploit the vulnerability simply by guessing-based attempts."}, {"lang": "es", "value": "GLPI es un paquete de software de gesti\u00f3n de activos y TI de c\u00f3digo abierto que proporciona funciones de ITIL Service Desk, seguimiento de licencias y auditor\u00eda de software. En GLPI versiones anteriores a 9.5.4, se presenta una Referencia Directa a Objeto No Segura (IDOR) en \"Solutions\". Esta vulnerabilidad le otorga a un usuario no autorizado la habilidad de enumerar los nombres de los elementos de GLPI (incluyendo los inicios de sesi\u00f3n de los usuarios) mediante el formulario de b\u00fasqueda de la base de conocimientos (requiere autenticaci\u00f3n). Para reproducir: Realice una autenticaci\u00f3n v\u00e1lida en su instancia GLPI, Explore la lista de tickets y seleccione cualquier ticket abierto, haga clic en el formulario Solution, luego Busque un formulario de soluci\u00f3n que lo redireccionar\u00e1 al endpoint /\"glpi/front/knowbaseitem.php?item_itemtype=Ticket&item_items_id=18&forcetab=Knowbase$1\", y el par\u00e1metro item_itemtype=Ticket presente en la URL anterior apuntar\u00e1 al alias de PHP de la tabla glpi_tickets, as\u00ed que reempl\u00e1celo con \"Users\" para que apunte a la tabla glpi_users en su lugar; de la misma manera, item_items_id=18 apuntar\u00e1 a la identificaci\u00f3n de la columna relacionada, as\u00ed que cambi\u00e1ndola tambi\u00e9n deber\u00edas poder enumerar todo el contenido que presenta un alias. Dado que tales identificaciones son obviamente incrementales, una parte maliciosa podr\u00eda explotar la vulnerabilidad simplemente con intentos basados ??en adivinanzas"}], "lastModified": "2021-03-17T14:06:00.723", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:glpi-project:glpi:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "9506B7CC-727B-40FE-B5A3-69B362E1ACEB", "versionEndExcluding": "9.5.4"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}