CVE-2023-41322 in GLPI
Summary
by MITRE • 10/25/2023
GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. A user with write access to another user can make requests to change the latter's password and then take control of their account. Users are advised to upgrade to version 10.0.10. There are no known work around for this vulnerability.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 10/25/2023
The vulnerability identified as CVE-2023-41322 affects GLPI, a widely-used open-source IT asset and service management platform that implements ITIL service desk functionalities. This software serves as a critical component in enterprise IT infrastructure management, handling sensitive data including user credentials, asset information, and service desk operations. The vulnerability resides within the user privilege management system, specifically exploiting a design flaw that allows authenticated users with write permissions to another user account to manipulate password reset functionality. This represents a significant security weakness in the software's access control mechanisms and privilege escalation capabilities.
The technical flaw manifests as a privilege escalation vulnerability classified under CWE-284 (Improper Access Control) within the GLPI application's user management module. An attacker with write access to another user account can exploit this weakness to initiate password change requests for the target user, effectively bypassing normal authentication controls. This vulnerability directly violates the principle of least privilege and demonstrates inadequate validation of user permissions during sensitive operations such as password modification. The flaw exists because the application fails to properly verify that the requesting user has appropriate authorization levels to modify another user's credentials, allowing lateral movement within the system through credential compromise.
The operational impact of this vulnerability extends beyond simple unauthorized access, as it enables attackers to assume full administrative control of compromised user accounts. This compromise can lead to unauthorized access to sensitive IT asset data, service desk tickets, license information, and software auditing records. The vulnerability affects the integrity and confidentiality of the entire GLPI deployment, as compromised accounts can be used to modify system configurations, access restricted resources, and potentially escalate privileges to administrator-level accounts. Organizations relying on GLPI for ITIL service desk operations face significant risk of data breaches and unauthorized system modifications, particularly in environments where multiple users have write access permissions.
Security practitioners should immediately upgrade to GLPI version 10.0.10 to remediate this vulnerability, as no effective workarounds exist to mitigate the risk. The ATT&CK framework categorizes this vulnerability under privilege escalation techniques, specifically targeting T1078 (Valid Accounts) and T1566 (Phishing) tactics. Organizations should implement immediate access control reviews, ensuring that write permissions are strictly limited to authorized personnel only. Additionally, network segmentation and monitoring should be enhanced to detect unauthorized password change requests. The vulnerability highlights the importance of proper access control implementation and the need for regular security assessments of authentication mechanisms in enterprise management systems. This issue underscores the critical nature of maintaining up-to-date software versions and implementing robust privilege management policies in IT service management platforms.