Arbitrary Object Instantiation Vulnerability Patched in GLPI v10.0.13
CVE-2024-27098

9.6CRITICAL

Key Information:

Vendor
Glpi-project
Status
Glpi
Vendor
CVE Published:
18 March 2024

Summary

GLPI, widely used for asset and IT management, is vulnerable to an SSRF attack facilitated by Arbitrary Object Instantiation. This weakness allows authenticated users to inadvertently access internal resources, potentially leading to unauthorized information disclosure. To mitigate this issue, users are urged to upgrade to GLPI version 10.0.13, which includes essential patches addressing the vulnerability. For further details, the GLPI project provides specific advisories and commit information on their GitHub repository.

Affected Version(s)

glpi >= 9.5.0, < 10.0.13

References

https://github.com/glpi-project/glpi/security/advisories/...
x_refsource_CONFIRM
https://github.com/glpi-project/glpi/commit/3b6bc1b4aa1f3...
x_refsource_MISC
https://github.com/glpi-project/glpi/releases/tag/10.0.13
x_refsource_MISC

CVSS V3.1

Score:
9.6
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.