Vulnerability CVE-2021-21327: Information

Description

GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. In GLPI before version 9.5.4 non-authenticated user can remotely instantiate object of any class existing in the GLPI environment that can be used to carry out malicious attacks, or to start a “POP chain”. As an example of direct impact, this vulnerability affects integrity of the GLPI core platform and third-party plugins runtime misusing classes which implement some sensitive operations in their constructors or destructors. This is fixed in version 9.5.4.

Severity: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

URL: https://nvd.nist.gov/vuln/detail/CVE-2021-21327
Published: March 8, 2021
Modified: June 26, 2023
Error type identifier: CWE-470

Fixed packages

Package name
Branch
Fixed in version
Version from repository
Errata ID
Task #
State
glpisisyphus9.5.4-alt110.0.15-alt1ALT-PU-2021-1583-1268732Fixed
glpip109.5.4-alt110.0.15-alt1ALT-PU-2021-1583-1268732Fixed
glpip99.5.4-alt19.5.13-alt1ALT-PU-2021-1660-1269862Fixed
glpic10f19.5.4-alt110.0.15-alt1ALT-PU-2021-1583-1268732Fixed
glpic9f29.5.13-alt19.5.13-alt1ALT-PU-2024-8094-3348598Fixed
glpip119.5.4-alt110.0.15-alt1ALT-PU-2021-1583-1268732Fixed

References to Advisories, Solutions, and Tools

Hyperlink
Resource
https://github.com/glpi-project/glpi/security/advisories/GHSA-qmw7-w2m4-rjwp
  • Vendor Advisory
https://github.com/glpi-project/glpi/releases/tag/9.5.4
  • Release Notes
http://packetstormsecurity.com/files/161680/GLPI-9.5.3-Unsafe-Reflection.html
  • Exploit
  • Third Party Advisory
  • VDB Entry

    1. Configuration 1

      cpe:2.3:a:glpi-project:glpi:*:*:*:*:*:*:*:*
      End excliding
      9.5.4
VKontakte|Telegram|YouTube|Forum|GitHub|Bugzilla
Version: v24.5.3
Back to top