CVE-2020-15217 in GLPI
Summary
by MITRE • 10/08/2020
In GLPI before version 9.5.2, there is a leakage of user information through the public FAQ. The issue was introduced in version 9.5.0 and patched in 9.5.2. As a workaround, disable public access to the FAQ.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 11/17/2020
The vulnerability CVE-2020-15217 represents a critical information disclosure flaw in the GLPI (Gestionnaire Libre de Parc Informatique) IT asset management system. This vulnerability specifically affects versions prior to 9.5.2 and was introduced in version 9.5.0, making it a regression issue that compromised previously secure functionality. The flaw manifests through the public FAQ component of the system, which inadvertently exposes sensitive user information to unauthorized parties who should not have access to such data. This represents a direct violation of the principle of least privilege and demonstrates a failure in access control mechanisms within the application's security architecture.
The technical implementation of this vulnerability stems from inadequate access controls within the FAQ module's public interface. When users access the public FAQ section, the system fails to properly authenticate or authorize requests, allowing anonymous users to retrieve user-specific information that should only be accessible to authenticated users with appropriate permissions. This type of vulnerability falls under CWE-200, which specifically addresses "Information Exposure," and represents a classic case of improper access control where the system does not adequately verify user credentials or roles before serving sensitive content. The vulnerability creates an information disclosure channel that bypasses normal authentication mechanisms and can potentially expose personal user data, session information, or other sensitive attributes within the GLPI system.
The operational impact of CVE-2020-15217 extends beyond simple data leakage, as it fundamentally undermines the trust model of the GLPI system and creates potential downstream security risks. Organizations relying on GLPI for IT asset management and user account administration face significant risks including unauthorized access to user credentials, personal information exposure, and potential credential harvesting attacks. The vulnerability affects any organization that has enabled public FAQ access, which is common in support environments where organizations want to provide self-service knowledge bases while maintaining internal user data privacy. This issue directly conflicts with security frameworks such as NIST SP 800-53 requirements for access control and information flow protection, as it allows unauthorized information disclosure that violates data confidentiality principles.
Organizations affected by this vulnerability should immediately implement the recommended workaround of disabling public access to the FAQ module while planning for the mandatory upgrade to GLPI version 9.5.2 or later. The mitigation strategy should also include monitoring for unauthorized access attempts and reviewing existing access controls to ensure no other public interfaces contain similar information disclosure flaws. Security teams should conduct comprehensive audits of all public-facing components in their GLPI installations to identify additional potential vulnerabilities. From an ATT&CK framework perspective, this vulnerability maps to T1071.004 for Application Layer Protocol: DNS and T1566 for Phishing, as it can enable attackers to gather intelligence about users and systems. The vulnerability also aligns with T1005 for Data from Local System and T1083 for File and Directory Discovery, as it allows unauthorized access to system information that should remain protected within the organization's internal user management systems.