Authentication Bypass Vulnerability in GLPI IT Management Software
CVE-2025-23046

6.3MEDIUM

Key Information:

Vendor: GLPI Project
Status: Glpi
Vendor: CVE Published:; 25 February 2025

Summary

GLPI, a widely-used free asset and IT management software, is susceptible to an authentication bypass issue. This vulnerability arises when a 'Mail servers' authentication provider is set up to utilize an Oauth connection through the OauthIMAP plugin. Prior to version 10.0.18, this flaw permits unauthorized users to connect to GLPI using a username associated with an Oauth authorization, potentially compromising system integrity. To mitigate this risk, it is recommended to upgrade to version 10.0.18, which includes a comprehensive patch, or disable the OauthIMAP plugin for 'Mail servers' authentication. More details can be found in the official advisory.

Affected Version(s)

glpi >= 9.5.0, < 10.0.18

References

https://github.com/glpi-project/glpi/security/advisories/...

x_refsource_CONFIRM

https://github.com/glpi-project/glpi/releases/tag/10.0.18

x_refsource_MISC

CVSS V4

Score:

6.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Timeline

Vulnerability published
Feb 25, 2025
Vulnerability Reserved
Jan 10, 2025