CVE-2023-41324: Critical Vulnerability in GLPI allows API users with Read Access to compromise other accounts
The Gestionnaire Libre de Parc Informatique, or GLPI, is a free asset and IT management software package designed to provide ITIL Service Desk features, licenses tracking, and software auditing. It is widely used by businesses to monitor and manage their IT assets effectively. Recently, a critical vulnerability (CVE-2023-41324) was discovered in GLPI that enables API users with read access on user resources to compromise the accounts of other users. This poses a significant security risk to affected businesses as it can lead to unauthorized access to sensitive data.
This article will outline the details of the CVE-2023-41324 vulnerability, provide code snippets to demonstrate its impact, and direct you to the original references for further information. Lastly, we will discuss how users can mitigate this vulnerability by upgrading to GLPI version 10..10, and note that there are no known workarounds for this issue.
Vulnerability Details
The CVE-2023-41324 vulnerability is a logical error in the GLPI permissions system, resulting in an unauthorized API user being able to read and modify other API user's data. The vulnerability is present in GLPI versions prior to 10..10. It has been labeled as a critical issue with a CVSS score of 9.1 out of 10.
The vulnerability can be triggered using the following code snippet
GET /api/users/{ID} HTTP/1.1
Host: glpi.example.com
Authorization: user_token <API_TOKEN>
In this example, an attacker with knowledge of a valid API token and target user ID could send a malicious GET request to the GLPI API endpoint, retrieving sensitive data and compromising the targeted user account.
Links to Original References
For more information on the CVE-2023-41324 vulnerability and its impact on GLPI, you can refer to the following resources:
1. Official GLPI Security Advisory: https://github.com/glpi-project/glpi/security/advisories/GHSA-2f4h-p764-x9hf
2. CVE-2023-41324 Entry in the CVE List: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-41324
3. National Vulnerability Database Entry: https://nvd.nist.gov/vuln/detail/CVE-2023-41324
Exploit Details
As previously mentioned, the vulnerability can be exploited by a malicious actor with knowledge of a valid API token and target user ID, allowing them to access and modify sensitive data and potentially compromise other user accounts.
Identify the target user's unique ID.
3. Craft a malicious GET request (as shown in the code snippet above) using the API token and target user ID.
Receive and utilize the sensitive data retrieved from the compromised account.
It is important to note that there are no known workarounds for this vulnerability, necessitating the need for affected users to upgrade to the latest GLPI version 10..10 as soon as possible.
Mitigation
To safeguard your GLPI installation from this critical vulnerability, users are strongly advised to upgrade to GLPI version 10..10. This updated version contains a security patch that addresses and resolves the CVE-2023-41324 vulnerability. To download the latest version, visit the official GLPI website at: https://github.com/glpi-project/glpi/releases/tag/10..10
As stated earlier, there are no known workarounds for this vulnerability, so it is crucial to upgrade to the latest version of GLPI promptly.
Conclusion
CVE-2023-41324 is a critical vulnerability in GLPI that poses significant risks to the security and integrity of affected installations. Users who have not yet upgraded to the latest version (10..10) should do so immediately to ensure the safety of their systems and data. Stay informed on the latest security advisories and take proactive measures to protect your IT assets and sensitive information.
Timeline
Published on: 09/27/2023 15:19:00 UTC
Last modified on: 09/29/2023 18:11:00 UTC