CVE-2021-21255

EPSS 0.27%
Published 02.03.2021 20:15:14
Last modified 21.11.2024 05:47:52
Source security-advisories@github.com
Teams watchlist Login
Open Login

GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. In GLPI version 9.5.3, it was possible to switch entities with IDOR from a logged in user. This is fixed in version 9.5.4.

Affected products Warnungen 0 Metrics 4 CWE 2 References 5

Data is provided by the National Vulnerability Database (NVD)

Glpi-project ≫ Glpi Version9.5.3

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.27%	0.503

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	5.7	2.1	3.6	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
nvd@nist.gov	3.5	6.8	2.9	AV:N/AC:M/Au:S/C:P/I:N/A:N
security-advisories@github.com	5.8	1.3	4	CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:N/A:N

CWE-639 Authorization Bypass Through User-Controlled Key

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

CWE-862 Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

https://github.com/glpi-project/glpi/commit/aade65b7f67d46f23d276a8acb0df70651c3b1dc

Patch

Third Party Advisory

https://github.com/glpi-project/glpi/security/advisories/GHSA-v3m5-r3mx-ff9j

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2021-21255

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2021-21255

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2021-21255

EUVD