2022-06-08 08:10:34 +00:00
id : CVE-2021-39211
info :
2023-02-01 17:58:20 +00:00
name : GLPI 9.2/<9.5.6 - Information Disclosure
2022-06-08 08:10:34 +00:00
author : dogasantos,noraj
severity : medium
2023-02-01 17:58:20 +00:00
description : GLPI 9.2 and prior to 9.5.6 is susceptible to information disclosure via the telemetry endpoint, which discloses GLPI and server information. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
2023-09-27 15:51:13 +00:00
impact : |
Information disclosure vulnerability in GLPI versions 9.2 to <9.5.6 allows an attacker to access sensitive information.
2023-09-06 12:09:01 +00:00
remediation : This issue is fixed in version 9.5.6. As a workaround, remove the file ajax/telemetry.php, which is not needed for usual GLPI functions.
2022-06-08 08:10:34 +00:00
reference :
- https://github.com/glpi-project/glpi/security/advisories/GHSA-xx66-v3g5-w825
2022-06-08 12:17:33 +00:00
- https://github.com/glpi-project/glpi/releases/tag/9.5.6
2023-02-01 17:58:20 +00:00
- https://nvd.nist.gov/vuln/detail/CVE-2021-39211
2022-06-08 08:10:34 +00:00
classification :
cvss-metrics : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
cvss-score : 5.3
cve-id : CVE-2021-39211
2023-10-17 06:11:14 +00:00
cwe-id : CWE-200,NVD-CWE-noinfo
2023-11-10 09:15:01 +00:00
epss-score : 0.00166
2024-01-14 13:49:27 +00:00
epss-percentile : 0.53226
2023-09-06 12:09:01 +00:00
cpe : cpe:2.3:a:glpi-project:glpi:*:*:*:*:*:*:*:*
2023-04-28 08:11:21 +00:00
metadata :
max-request : 2
2023-07-11 19:49:27 +00:00
vendor : glpi-project
product : glpi
2023-12-05 09:50:33 +00:00
tags : cve,cve2021,glpi,exposure,glpi-project
2022-06-08 08:10:34 +00:00
2023-04-27 04:28:59 +00:00
http :
2022-06-08 08:10:34 +00:00
- method : GET
path :
- "{{BaseURL}}/ajax/telemetry.php"
- "{{BaseURL}}/glpi/ajax/telemetry.php"
matchers-condition : and
matchers :
- type : word
words :
- '"uuid":'
- '"glpi":'
condition : and
- type : status
status :
- 200
2024-01-14 14:05:19 +00:00
# digest: 4a0a00473045022100c18af0f3b644d77d9081421e5f929b5cca0e2dc971b8c6ad1e33c930707aa125022011d3045f9cd5dfe49d48991356c6428d5fd19e5598a047e23a975d56a7dcd71a:922c64590222798bb761d5b6d8e72950