Unauthorized setup leads to SSRF in Combodo/iTop
CVE-2021-32663

8.7HIGH

Key Information:

Vendor: Combodo
Status: Itop
Vendor: CVE Published:; 19 October 2021

🔔 Create Combodo Vulnerability Alert

What is CVE-2021-32663?

iTop is an open source web based IT Service Management tool. In affected versions an attacker can call the system setup without authentication. Given specific parameters this can lead to SSRF. This issue has been resolved in versions 2.6.5 and 2.7.5 and later

Affected Version(s)

iTop < 2.6.5 < 2.6.5

iTop >= 2.7.0, < 2.7.5 < 2.7.0, 2.7.5

References

https://github.com/Combodo/iTop/security/advisories/GHSA-...

x_refsource_CONFIRM

https://github.com/Combodo/iTop/commit/43daa2ef088bf928a2...

x_refsource_MISC

https://github.com/Combodo/iTop/commit/6be9a87c150978752b...

x_refsource_MISC

CVSS V3.1

Score:

8.7

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 19, 2021
Vulnerability Reserved
May 12, 2021

.