CVE-2021-39209 in GLPIinfo

Summary

by MITRE • 09/16/2021

GLPI is a free Asset and IT management software package. In versions prior to 9.5.6, a user who is logged in to GLPI can bypass Cross-Site Request Forgery (CSRF) protection in many places. This could allow a malicious actor to perform many actions on GLPI. This issue is fixed in version 9.5.6. There are no workarounds aside from upgrading.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 09/19/2021

The vulnerability identified as CVE-2021-39209 affects GLPI, a widely-used open-source asset and IT management software package that serves organizations in maintaining their technology infrastructure inventory and management workflows. This particular flaw represents a critical security weakness that undermines the application's fundamental web security mechanisms, specifically targeting its Cross-Site Request Forgery protection controls. The vulnerability exists in GLPI versions prior to 9.5.6, making all earlier installations susceptible to exploitation by malicious actors who can leverage this weakness to execute unauthorized actions within the application's administrative environment.

The technical flaw manifests as a failure in the CSRF protection mechanism that should normally validate and authenticate user requests originating from legitimate sources within the application. When a user maintains an active session within GLPI, the system should enforce strict validation of all incoming requests to ensure they originate from authorized sources and are properly authenticated. However, this vulnerability allows authenticated users to bypass these critical security checks, effectively enabling attackers to forge requests that appear to come from legitimate users within the application. The flaw essentially permits malicious actors to perform unauthorized actions that would normally require explicit user consent or authentication through proper CSRF token validation mechanisms.

The operational impact of this vulnerability extends far beyond simple data theft or unauthorized access, as it provides attackers with the capability to execute a wide range of administrative actions within the GLPI environment. This includes but is not limited to creating or modifying user accounts, altering asset records, modifying system configurations, and potentially accessing sensitive information stored within the IT asset management system. The vulnerability's severity is amplified by the fact that it requires no additional authentication beyond an existing valid session, making it particularly dangerous in environments where users may remain logged in for extended periods. Attackers could exploit this weakness to gain persistent access to the system and carry out malicious activities that could compromise the integrity of the entire IT asset management infrastructure.

This vulnerability maps directly to CWE-352, which specifically addresses Cross-Site Request Forgery weaknesses in web applications, and aligns with several ATT&CK techniques including T1078 for valid accounts and T1566 for credential harvesting through social engineering or session manipulation. The lack of viable workarounds aside from upgrading underscores the critical nature of this issue, as organizations cannot simply implement temporary patches or configuration changes to mitigate the risk. The fix implemented in GLPI version 9.5.6 demonstrates the necessity of proper CSRF token implementation and validation mechanisms that ensure all user actions are properly authenticated and authorized. Organizations utilizing GLPI must prioritize immediate upgrade to version 9.5.6 or later to protect their IT asset management systems from potential exploitation, as the vulnerability creates an open door for attackers to perform unauthorized administrative operations that could severely compromise their technology infrastructure management capabilities.

Responsible

GitHub, Inc.

Reservation

08/16/2021

Disclosure

09/16/2021

Moderation

accepted

CPE

ready

EPSS

0.00518

KEV

no

Activities

very low

Sources

Do you know our Splunk app?

Download it now for free!