CVE-2021-39210 in GLPIinfo

Summary

by MITRE • 09/16/2021

GLPI is a free Asset and IT management software package. In versions prior to 9.5.6, the cookie used to store the autologin cookie (when a user uses the "remember me" feature) is accessible by scripts. A malicious plugin that could steal this cookie would be able to use it to autologin. This issue is fixed in version 9.5.6. As a workaround, one may avoid using the "remember me" feature.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 09/19/2021

The vulnerability described in CVE-2021-39210 affects GLPI, a widely-used open-source asset and IT management software package that serves organizations for tracking hardware, software, and IT resources. This particular flaw resides in the authentication mechanism implementation within versions prior to 9.5.6, specifically concerning the autologin cookie functionality. The issue represents a significant security weakness that could potentially allow unauthorized access to user accounts through the exploitation of improperly secured session management components.

The technical flaw manifests in the improper handling of cookies used for automatic login functionality when users select the "remember me" feature. In vulnerable versions, the cookie that stores authentication credentials for automatic re-authentication is accessible to client-side scripts, including malicious plugins that may be installed on the system. This accessibility creates a cross-site scripting vulnerability where a compromised plugin could intercept and exfiltrate the autologin cookie, effectively granting the malicious actor persistent access to the victim's account without requiring additional authentication credentials. The vulnerability directly relates to CWE-200, which addresses improper exposure of sensitive information, and CWE-352, which covers cross-site request forgery vulnerabilities.

The operational impact of this vulnerability extends beyond simple unauthorized access, as it enables persistent compromise of user sessions within the GLPI environment. An attacker who successfully exploits this vulnerability can maintain access to the management system indefinitely, potentially gaining access to sensitive asset information, configuration data, and IT resource tracking details. This persistent access could facilitate further attacks within the network infrastructure, as GLPI often serves as a central repository for critical IT asset information. The vulnerability affects the integrity and confidentiality of the entire system, as unauthorized access to user accounts could lead to data manipulation, unauthorized changes to asset records, or complete system compromise. According to ATT&CK framework, this vulnerability maps to T1566.001 (Phishing: Spearphishing Attachment) and T1078.004 (Valid Accounts: Default Accounts) when exploited through malicious plugins, and T1562.001 (Impair Defenses: Disable or Modify Tools) when used to maintain persistence.

Organizations utilizing GLPI should prioritize immediate remediation by upgrading to version 9.5.6 or later, which implements proper cookie security measures including appropriate HttpOnly and Secure flags. The workaround of avoiding the "remember me" feature provides temporary relief but does not address the underlying issue, leaving systems vulnerable to other attack vectors. Security teams should conduct comprehensive audits of installed plugins to identify potentially malicious components and implement network monitoring to detect unauthorized cookie access patterns. Additionally, organizations should review their access control policies and implement multi-factor authentication where possible to reduce the impact of credential compromise. The vulnerability highlights the critical importance of proper session management and cookie security practices in web applications, particularly those handling sensitive organizational data.

Responsible

GitHub, Inc.

Reservation

08/16/2021

Disclosure

09/16/2021

Moderation

accepted

CPE

ready

EPSS

0.00982

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!