Vulnerability Description
In GLPI from version 9.1 and before version 9.4.6, any API user with READ right on User itemtype will have access to full list of users when querying apirest.php/User. The response contains: - All api_tokens which can be used to do privileges escalations or read/update/delete data normally non accessible to the current user. - All personal_tokens can display another users planning. Exploiting this vulnerability requires the api to be enabled, a technician account. It can be mitigated by adding an application token. This is fixed in version 9.4.6.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Glpi-Project | Glpi | >= 9.1, < 9.4.6 |
| Fedoraproject | Fedora | 31 |
Related Weaknesses (CWE)
References
- https://github.com/glpi-project/glpi/security/advisories/GHSA-rf54-3r4w-4h55Vendor Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://github.com/glpi-project/glpi/security/advisories/GHSA-rf54-3r4w-4h55Vendor Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
FAQ
What is CVE-2020-11033?
CVE-2020-11033 is a vulnerability with a CVSS score of 6.6 (MEDIUM). In GLPI from version 9.1 and before version 9.4.6, any API user with READ right on User itemtype will have access to full list of users when querying apirest.php/User. The response contains: - All api...
How severe is CVE-2020-11033?
CVE-2020-11033 has been rated MEDIUM with a CVSS base score of 6.6/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-11033?
Check the references section above for vendor advisories and patch information. Affected products include: Glpi-Project Glpi, Fedoraproject Fedora.