A vulnerability has been found in GLPI up to 10.0.9 (Asset Management Software) and classified as critical. Affected by this vulnerability is an unknown function of the component Kanban. The manipulation with an unknown input leads to a privileges management vulnerability. The CWE definition for the vulnerability is CWE-269. The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor. As an impact it is known to affect confidentiality, integrity, and availability. The summary by CVE is:

GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. A logged user from any profile can hijack the Kanban feature to alter any user field, and end-up with stealing its account. Users are advised to upgrade to version 10.0.10. There are no known workarounds for this vulnerability.

The weakness was disclosed 09/27/2023 as GHSA-5wj6-hp4c-j5q9. The advisory is shared at github.com. This vulnerability is known as CVE-2023-41326 since 08/28/2023. Neither technical details nor an exploit are publicly available. MITRE ATT&CK project uses the attack technique T1068 for this issue.

Upgrading to version 10.0.10 eliminates this vulnerability.

The entry VDB-201564 is pretty similar.

Productinfo

Type

• Asset Management Software

Name

• GLPI

Version

• 10.0.0
• 10.0.1
• 10.0.2
• 10.0.3
• 10.0.4
• 10.0.5
• 10.0.6
• 10.0.7
• 10.0.8
• 10.0.9

License

• open-source

CPE 2.3info

• 🔒
• 🔒
• 🔒

CPE 2.2info

• 🔒
• 🔒
• 🔒

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion