CVE-2023-35940 in GLPI
Summary
by MITRE • 07/06/2023
GLPI is a free asset and IT management software package. Starting in version 9.5.0 and prior to version 10.0.8, an incorrect rights check on a file allows an unauthenticated user to be able to access dashboards data. Version 10.0.8 contains a patch for this issue.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 07/06/2023
The vulnerability identified as CVE-2023-35940 affects GLPI, a widely-used open-source asset and IT management software package that serves organizations for tracking hardware, software, and IT resources. This security flaw exists in versions 9.5.0 through 10.0.7, creating a critical access control weakness that undermines the software's security model. The issue stems from an improper rights validation mechanism that fails to adequately verify user authentication status before granting access to sensitive dashboard data, representing a fundamental failure in the application's authorization framework.
The technical implementation of this vulnerability manifests as a missing or insufficient access control check on specific files within the GLPI application. An attacker can exploit this weakness by directly accessing certain dashboard endpoints without providing valid authentication credentials, effectively bypassing the intended authentication mechanisms. This flaw operates at the application layer and directly violates the principle of least privilege, allowing unauthorized users to gain visibility into organizational IT asset data and dashboard metrics. The vulnerability represents a classic case of insecure direct object reference or improper access control, which aligns with CWE-285 and CWE-668 categories.
The operational impact of this vulnerability extends beyond simple information disclosure, as it provides attackers with access to comprehensive dashboard data that may include asset inventories, usage statistics, and IT resource allocations. This information could enable attackers to conduct reconnaissance activities, identify potential targets for further attacks, or gain insights into organizational IT infrastructure that would normally be restricted to authorized personnel. The exposure of dashboard data could facilitate more sophisticated attacks such as privilege escalation attempts or targeted social engineering campaigns, making this vulnerability particularly dangerous in enterprise environments where GLPI manages critical IT asset information. The risk is exacerbated by the fact that this vulnerability affects multiple versions of the software, potentially leaving many organizations exposed for extended periods.
Organizations utilizing GLPI should immediately upgrade to version 10.0.8 or later to remediate this vulnerability, as this release contains the necessary patches to address the access control flaw. System administrators should also conduct thorough audits of their GLPI installations to ensure all affected versions have been properly updated and verify that no unauthorized access has occurred. Additional mitigations include implementing network segmentation to limit access to GLPI systems, monitoring access logs for suspicious activities, and ensuring that proper authentication mechanisms are in place at network boundaries. Security teams should also consider implementing web application firewalls to detect and block attempts to access protected dashboard endpoints without proper authentication, aligning with defensive strategies outlined in the MITRE ATT&CK framework under the privilege escalation and defense evasion tactics.