CVE-2020-11033 : Security Advisory and Response

In GLPI from version 9.1 and before version 9.4.6, a vulnerability allows any API user with READ right on User itemtype to access a full list of users, including sensitive tokens. This issue can lead to privilege escalations and unauthorized data access.

Understanding CVE-2020-11033

This CVE describes a security vulnerability in GLPI versions 9.1 to 9.4.5 that enables API users to retrieve sensitive information.

What is CVE-2020-11033?

The vulnerability in GLPI versions 9.1 to 9.4.5 allows API users with READ rights on User itemtype to access a complete list of users, including sensitive tokens, potentially leading to privilege escalations and unauthorized data access.

The Impact of CVE-2020-11033

The vulnerability's impact is rated as MEDIUM severity with a CVSS base score of 6.6. It poses a high risk to confidentiality and a lower risk to integrity, requiring high privileges for exploitation.

Technical Details of CVE-2020-11033

This section provides detailed technical information about the vulnerability.

Vulnerability Description

The vulnerability allows API users to access sensitive tokens and escalate privileges, potentially compromising data security.

Affected Systems and Versions

GLPI versions >9.1 and < 9.4.6

Exploitation Mechanism

Requires the API to be enabled
Requires a technician account
Mitigated by adding an application token

Mitigation and Prevention

Protecting systems from this vulnerability is crucial to maintaining data security.

Immediate Steps to Take

Update GLPI to version 9.4.6 to fix the vulnerability
Disable API access if not essential

Long-Term Security Practices

Regularly review and update access rights for API users
Implement multi-factor authentication for enhanced security

Patching and Updates

Apply security patches promptly to address known vulnerabilities