CVE-2020-26212 Information
Description
GLPI stands for Gestionnaire Libre de Parc Informatique and it is a Free Asset and IT Management Software package that provides ITIL Service Desk features licenses tracking and software auditing. In GLPI before version 9.5.3 any authenticated user has read-only permissions to the planning of every other user even admin ones. Steps to reproduce the behavior: 1. Create a new planning with ’eduardo.mozart’ user (from ‘IT’ group that belongs to ‘Super-admin’) into it’s personal planning at ‘Assistance’ > ‘Planning’. 2. Copy the CalDAV url and use a CalDAV client (e.g. Thunderbird) to sync the planning with the provided URL. 3. Inform the username and password from any valid user (e.g. ‘camila’ from ‘Proativa’ group). 4. ‘Camila’ has read-only access to ’eduardo.mozart’ personal planning. The same behavior happens to any group. E.g. ‘Camila’ has access to ‘IT’ group planning even if she doesn’t belong to this group and has a ‘Self-service’ profile permission). This issue is fixed in version 9.5.3. As a workaround one can remove the caldav.php file to block access to CalDAV server.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Reference
https://github.com/glpi-project/glpi/security/advisories/GHSA-qmw3-87hr-5wgx https://github.com/glpi-project/glpi/releases/tag/9.5.3 https://github.com/glpi-project/glpi/commit/527280358ec78988ac57e9809d2eb21fcd74caf7 GLPI stands for Gestionnaire Libre de Parc Informatique and it is a Free Asset and IT Management Software package that provides ITIL Service Desk features licenses tracking and software auditing. In GLPI before version 9.5.3 any authenticated user has read-only permissions to the planning of every other user even admin ones. Steps to reproduce the behavior: 1. Create a new planning with ’eduardo.mozart’ user (from ‘IT’ group that belongs to ‘Super-admin’) into it’s personal planning at ‘Assistance’
‘Planning’.
2.
Copy
the
CalDAV
url
and
use
a
CalDAV
client
(e.g.
Thunderbird)
to
sync
the
planning
with
the
provided
URL.
3.
Inform
the
username
and
password
from
any
valid
user
(e.g.
‘camila’
from
‘Proativa’
group).
4.
‘Camila’
has
read-only
access
to
’eduardo.mozart’
personal
planning.
The
same
behavior
happens
to
any
group.
E.g.
‘Camila’
has
access
to
‘IT’
group
planning
even
if
she
doesn’t
belong
to
this
group
and
has
a
‘Self-service’
profile
permission).
This
issue
is
fixed
in
version
9.5.3.
As
a
workaround
one
can
remove
the
caldav.php
file
to
block
access
to
CalDAV
server.
Attack Complexity
LOW
Privileges Required
LOW
User Interaction Required
LOW
Scope
NONE
Confidentiality Impact
UNCHANGED
Integrity Impact
HIGH
Availability Impact
NONE
Base Score
NONE
Base Severity
6.5
Share on: