CVE-2021-39211 in GLPI
Summary
by MITRE • 09/16/2021
GLPI is a free Asset and IT management software package. Starting in version 9.2 and prior to version 9.5.6, the telemetry endpoint discloses GLPI and server information. This issue is fixed in version 9.5.6. As a workaround, remove the file `ajax/telemetry.php`, which is not needed for usual functions of GLPI.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 09/19/2021
The vulnerability identified as CVE-2021-39211 affects GLPI, a widely-used open-source asset and IT management software package that serves organizations for tracking hardware, software, and IT resources. This particular flaw resides within the telemetry endpoint functionality that was introduced in version 9.2 and remained present through versions prior to 9.5.6. The vulnerability represents a significant information disclosure issue that exposes sensitive system details to unauthorized parties, potentially compromising the security posture of organizations relying on this platform for critical IT asset management operations.
The technical flaw manifests through the telemetry endpoint located at ajax/telemetry.php which inadvertently reveals comprehensive information about both the GLPI application itself and the underlying server infrastructure. This exposure includes version details, system configuration data, and potentially other sensitive metadata that could be leveraged by threat actors to identify specific vulnerabilities within the GLPI installation or the server environment. The disclosure occurs without proper authentication requirements, making it accessible to any external party capable of reaching the affected endpoint. According to CWE classification, this vulnerability maps to CWE-200 Information Exposure, which specifically addresses the improper exposure of sensitive information to unauthorized actors.
The operational impact of this vulnerability extends beyond simple information disclosure, as it provides attackers with valuable reconnaissance data that can be used to plan more sophisticated attacks against the affected systems. Threat actors can utilize the exposed GLPI version information to identify known vulnerabilities specific to that version, while server information disclosure can reveal operating system details, installed software versions, and other system characteristics that may be exploited in subsequent attack phases. This information leakage directly violates fundamental security principles of least privilege and defense in depth, as it provides attackers with insights that should remain confidential to maintain system security.
Organizations utilizing GLPI versions between 9.2 and 9.5.5 face significant risk from this vulnerability, particularly those with limited network segmentation or those operating in environments where external network access is not properly restricted. The recommended remediation involves upgrading to GLPI version 9.5.6 or later, which contains the necessary patches to address the telemetry endpoint disclosure. As a temporary workaround, administrators can remove the ajax/telemetry.php file from their installations, though this approach only mitigates the immediate risk and does not address the underlying architectural issues. This remediation strategy aligns with ATT&CK technique T1068, which involves the use of privilege escalation and reconnaissance techniques, where the information disclosure provides the initial reconnaissance data needed for more advanced attack vectors. The vulnerability demonstrates how seemingly innocuous features like telemetry can become security liabilities when not properly secured, highlighting the importance of comprehensive security reviews during software development and deployment phases.