CVE-2024-47760 in GLPIinfo

Summary

by MITRE • 12/11/2024

GLPI is a free asset and IT management software package. Starting in version 9.1.0 and prior to version 10.0.17, a technician with an access to the API can take control of an account with higher privileges. Version 10.0.17 contains a patch for this issue.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 01/24/2025

The vulnerability identified as CVE-2024-47760 affects GLPI, a widely-used open-source asset and IT management software package that serves organizations for tracking hardware, software, and IT resources. This security flaw exists in versions 9.1.0 through 10.0.16, creating a significant privilege escalation risk within the application's API access controls. The vulnerability specifically targets technicians who possess API access permissions, allowing them to exploit a flaw that enables unauthorized account takeover of higher-privileged user accounts. This represents a critical security weakness in the software's access control mechanisms, potentially enabling malicious actors or compromised technicians to elevate their privileges and gain access to sensitive administrative functions.

The technical nature of this vulnerability stems from insufficient validation and authorization checks within the GLPI API implementation. When a technician with API access makes specific requests to the application's API endpoints, the system fails to properly verify that the requesting user has adequate permissions to perform actions that would affect accounts with higher privileges. This flaw falls under the category of improper access control as defined by CWE-285, where the application does not adequately enforce authorization checks for operations that could result in privilege escalation. The vulnerability creates a path for attackers to manipulate API requests in such a way that they can assume the identity and privileges of other users, potentially including administrators or users with elevated permissions.

The operational impact of CVE-2024-47760 is substantial for organizations relying on GLPI for their IT asset management and service desk operations. A successful exploitation could allow a technician with API access to gain unauthorized administrative privileges, potentially leading to complete system compromise. Attackers could access sensitive data, modify or delete critical system configurations, manipulate user accounts, and potentially escalate their access further within the organization's IT infrastructure. This vulnerability directly impacts the principle of least privilege and could enable attackers to pivot from a compromised technician account to gain access to other systems that might share authentication mechanisms with GLPI. The attack vector aligns with techniques described in the MITRE ATT&CK framework under privilege escalation tactics, specifically targeting API-based attacks that exploit weak access controls.

Organizations utilizing GLPI versions between 9.1.0 and 10.0.16 should immediately implement the patch provided in version 10.0.17 to remediate this vulnerability. System administrators should conduct comprehensive security assessments of their GLPI installations, reviewing API access permissions and monitoring for any suspicious activity that might indicate exploitation attempts. The patch addresses the root cause by implementing proper authorization checks and validation mechanisms within the API processing logic. Additionally, organizations should consider implementing network segmentation and monitoring for unusual API activity patterns, particularly around account manipulation requests. Regular security audits of API access controls and privilege assignments should be conducted to prevent similar vulnerabilities from emerging in other components of the IT management infrastructure. The vulnerability demonstrates the critical importance of maintaining up-to-date security patches and implementing robust access control policies in enterprise IT management systems.

Responsible

GitHub M

Reservation

09/30/2024

Disclosure

12/11/2024

Moderation

accepted

CPE

ready

EPSS

0.00457

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!