CVE CyberSecurity Database News

CVE-2024-50339: Unauthenticated SessionID Retrieval in GLPI Prior to version 10..17

Poster -

GLPI (Gestionnaire Libre de Parc Informatique) is a free and open-source asset and IT management software package widely used for inventory and issue-tracking. Unfortunately, versions 9.5. to 10..16 of GLPI contain a security vulnerability that allows an unauthenticated user to fetch all active session IDs. Once retrieved, these session IDs can be used to hijack legitimate user sessions, providing full access to the affected GLPI system. The vulnerability has been designated as CVE-2024-50339, and it has been fixed in version 10..17 of GLPI.

Details

The vulnerability exploits a weakness in the management of active session IDs. An unauthenticated user can send a request to a specific URL within GLPI, and the server will respond with all the available session IDs. This response should not be accessible to unauthenticated users. The URL is:

/glpi/ajax/getDropdownValue.php?itemtype=_logs_id_search_option and idtodisplaychanget<>

Exploit

Any attacker can use the vulnerability to retrieve all active session IDs and potentially steal user sessions. Using a simple HTTP request, an attacker can gain unauthorized access to the GLPI system without knowing any valid credentials.

An example request is

GET /glpi/ajax/getDropdownValue.php?itemtype=_logs_id_search_option and idtodisplaychanget<> HTTP/1.1
Host: target.glpi.example.com
User-Agent: Mozilla/5. (X11; Linux x86_64; rv:78.) Gecko/20100101 Firefox/78.
Accept: */*
Accept-Language: en-US,en;q=.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Referer: http://target.glpi.example.com/glpi/front/ticket.php

Once the attacker has the list of active session IDs, they can perform Session Hijacking attacks and gain unauthorized access to user accounts on the GLPI system.

Risk

This vulnerability poses a serious risk to organizations using unpatched versions of GLPI. The ability to steal session IDs allows an attacker to access sensitive data and functionality, including inventory management, issue tracking, and potentially even administrative privileges.

Mitigation

It is critically important for organizations using affected versions of GLPI to update their software to version 10..17 or later, which contains a patch for this vulnerability. The patch prevents unauthenticated users from accessing the endpoint used to retrieve session IDs.

References

1. GLPI Repository on GitHub: https://github.com/glpi-project/glpi
2. GLPI Security Release Notes: https://github.com/glpi-project/glpi/releases/tag/10..17
3. CVE-2024-50339 Record on NIST National Vulnerability Database: https://nvd.nist.gov/vuln/detail/CVE-2024-50339

Conclusion

In summary, CVE-2024-50339 presents a critical vulnerability in GLPI versions between 9.5. and 10..16 that allows unauthenticated users to retrieve active session IDs and potentially hijack active user sessions. Organizations should update their GLPI installations to version 10..17 or later, which includes a patch to mitigate this vulnerability.

Timeline

Published on: 12/12/2024 02:06:19 UTC