Description
GLPI is a free Asset and IT management software package. Starting in version 9.1 and prior to version 9.5.6, GLPI with API Rest enabled is vulnerable to API bypass with custom header injection. This issue is fixed in version 9.5.6. One may disable API Rest as a workaround.
References
https://github.com/glpi-project/glpi/releases/tag/9.5.6
Release NotesThird Party Advisory
https://github.com/glpi-project/glpi/security/advisories/GHSA-6w9f-2m6g-5777
Third Party Advisory
CVSS impact metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8 · High
CVSS V3.1
CVSS V3.0
CVSS V2.0
Information
Source identifier
Vulnerability status
Analyzed
Published
2021-09-15T17:15:10.337
3 years agoLast modified
2021-09-28T16:55:16.367
3 years ago