Vulnerability Description
GLPI is a free Asset and IT management software package. Starting in version 9.2 and prior to version 9.5.6, the telemetry endpoint discloses GLPI and server information. This issue is fixed in version 9.5.6. As a workaround, remove the file `ajax/telemetry.php`, which is not needed for usual functions of GLPI.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Glpi-Project | Glpi | >= 9.2, < 9.5.6 |
Related Weaknesses (CWE)
References
- https://github.com/glpi-project/glpi/releases/tag/9.5.6Release NotesThird Party Advisory
- https://github.com/glpi-project/glpi/security/advisories/GHSA-xx66-v3g5-w825Third Party Advisory
- https://github.com/glpi-project/glpi/releases/tag/9.5.6Release NotesThird Party Advisory
- https://github.com/glpi-project/glpi/security/advisories/GHSA-xx66-v3g5-w825Third Party Advisory
FAQ
What is CVE-2021-39211?
CVE-2021-39211 is a vulnerability with a CVSS score of 5.3 (MEDIUM). GLPI is a free Asset and IT management software package. Starting in version 9.2 and prior to version 9.5.6, the telemetry endpoint discloses GLPI and server information. This issue is fixed in versio...
How severe is CVE-2021-39211?
CVE-2021-39211 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-39211?
Check the references section above for vendor advisories and patch information. Affected products include: Glpi-Project Glpi.