Vulnerability CVE-2021-39213: Information

Description

GLPI is a free Asset and IT management software package. Starting in version 9.1 and prior to version 9.5.6, GLPI with API Rest enabled is vulnerable to API bypass with custom header injection. This issue is fixed in version 9.5.6. One may disable API Rest as a workaround.

Severity: HIGH (8.8) Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

URL: https://nvd.nist.gov/vuln/detail/CVE-2021-39213
Published: Sept. 15, 2021
Modified: Sept. 28, 2021
Error type identifier: CWE-74

Fixed packages

Package name
Branch
Fixed in version
Version from repository
Errata ID
Task #
State
glpisisyphus9.5.6-alt110.0.15-alt1ALT-PU-2021-3030-1286922Fixed
glpip109.5.6-alt110.0.15-alt1ALT-PU-2021-3038-1287043Fixed
glpip99.5.6-alt19.5.13-alt1ALT-PU-2021-3059-1287044Fixed
glpic10f19.5.6-alt110.0.15-alt1ALT-PU-2021-3038-1287043Fixed
glpic9f29.5.13-alt19.5.13-alt1ALT-PU-2024-8094-3348598Fixed
glpip119.5.6-alt110.0.15-alt1ALT-PU-2021-3030-1286922Fixed

References to Advisories, Solutions, and Tools

Hyperlink
Resource
https://github.com/glpi-project/glpi/security/advisories/GHSA-6w9f-2m6g-5777
  • Third Party Advisory
https://github.com/glpi-project/glpi/releases/tag/9.5.6
  • Release Notes
  • Third Party Advisory

    1. Configuration 1

      cpe:2.3:a:glpi-project:glpi:*:*:*:*:*:*:*:*
      Start including
      9.1
      End excliding
      9.5.6
VKontakte|Telegram|YouTube|Forum|GitHub|Bugzilla
Version: v24.5.3
Back to top