Description

GLPI is a free Asset and IT management software package. Starting in version 9.1 and prior to version 9.5.6, GLPI with API Rest enabled is vulnerable to API bypass with custom header injection. This issue is fixed in version 9.5.6. One may disable API Rest as a workaround.

Related CPE's

a

glpi-project

glpi

Vulnerable

References

https://github.com/glpi-project/glpi/releases/tag/9.5.6

Release NotesThird Party Advisory

https://github.com/glpi-project/glpi/security/advisories/GHSA-6w9f-2m6g-5777

Third Party Advisory

Weaknesses

[email protected]

Primary
CWE-74

[email protected]

Secondary
CWE-74

CVSS impact metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

8.8 · High

  • CVSS V3.1

  • CVSS V3.0

  • CVSS V2.0

Information

Source identifier

[email protected]

Vulnerability status

Analyzed

Published

2021-09-15T17:15:10.337

3 years ago

Last modified

2021-09-28T16:55:16.367

3 years ago