CVE-2021-21255

EPSS 0.27%
Veröffentlicht 02.03.2021 20:15:14
Zuletzt bearbeitet 21.11.2024 05:47:52
Quelle security-advisories@github.com
Teams Watchlist Login
Unerledigt Login

GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. In GLPI version 9.5.3, it was possible to switch entities with IDOR from a logged in user. This is fixed in version 9.5.4.

Betroffene Produkte Warnungen 0 Metriken 4 CWE 2 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Glpi-project ≫ Glpi Version9.5.3

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.27%	0.503

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	5.7	2.1	3.6	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
nvd@nist.gov	3.5	6.8	2.9	AV:N/AC:M/Au:S/C:P/I:N/A:N
security-advisories@github.com	5.8	1.3	4	CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:N/A:N

CWE-639 Authorization Bypass Through User-Controlled Key

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

CWE-862 Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

https://github.com/glpi-project/glpi/commit/aade65b7f67d46f23d276a8acb0df70651c3b1dc

Patch

Third Party Advisory

https://github.com/glpi-project/glpi/security/advisories/GHSA-v3m5-r3mx-ff9j

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2021-21255

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2021-21255

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2021-21255

EUVD