cve-2020-26212
Vulnerability from cvelistv5
Published
2020-11-25 17:05
Modified
2024-08-04 15:49
Severity ?
7.7 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Summary
Any GLPI CalDAV calendars is read-only for every authenticated user
References
security-advisories@github.comhttps://github.com/glpi-project/glpi/commit/527280358ec78988ac57e9809d2eb21fcd74caf7Patch, Third Party Advisory
security-advisories@github.comhttps://github.com/glpi-project/glpi/releases/tag/9.5.3Release Notes, Third Party Advisory
security-advisories@github.comhttps://github.com/glpi-project/glpi/security/advisories/GHSA-qmw3-87hr-5wgxExploit, Patch, Third Party Advisory
Impacted products
glpi-projectglpi
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T15:49:07.163Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/glpi-project/glpi/security/advisories/GHSA-qmw3-87hr-5wgx"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/glpi-project/glpi/commit/527280358ec78988ac57e9809d2eb21fcd74caf7"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/glpi-project/glpi/releases/tag/9.5.3"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "glpi",
          "vendor": "glpi-project",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 9.5.3"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "GLPI stands for Gestionnaire Libre de Parc Informatique and it is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In GLPI before version 9.5.3, any authenticated user has read-only permissions to the planning of every other user, even admin ones. Steps to reproduce the behavior: 1. Create a new planning with \u0027eduardo.mozart\u0027 user (from \u0027IT\u0027 group that belongs to \u0027Super-admin\u0027) into it\u0027s personal planning at \u0027Assistance\u0027 \u003e \u0027Planning\u0027. 2. Copy the CalDAV url and use a CalDAV client (e.g. Thunderbird) to sync the planning with the provided URL. 3. Inform the username and password from any valid user (e.g. \u0027camila\u0027 from \u0027Proativa\u0027 group). 4. \u0027Camila\u0027 has read-only access to \u0027eduardo.mozart\u0027 personal planning. The same behavior happens to any group. E.g. \u0027Camila\u0027 has access to \u0027IT\u0027 group planning, even if she doesn\u0027t belong to this group and has a \u0027Self-service\u0027 profile permission). This issue is fixed in version 9.5.3. As a workaround, one can remove the `caldav.php` file to block access to CalDAV server."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.7,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-862",
              "description": "CWE-862 Missing Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-11-25T17:05:17",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/glpi-project/glpi/security/advisories/GHSA-qmw3-87hr-5wgx"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/glpi-project/glpi/commit/527280358ec78988ac57e9809d2eb21fcd74caf7"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/glpi-project/glpi/releases/tag/9.5.3"
        }
      ],
      "source": {
        "advisory": "GHSA-qmw3-87hr-5wgx",
        "discovery": "UNKNOWN"
      },
      "title": "Any GLPI CalDAV calendars is read-only for every authenticated user",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2020-26212",
          "STATE": "PUBLIC",
          "TITLE": "Any GLPI CalDAV calendars is read-only for every authenticated user"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "glpi",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "\u003c 9.5.3"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "glpi-project"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "GLPI stands for Gestionnaire Libre de Parc Informatique and it is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In GLPI before version 9.5.3, any authenticated user has read-only permissions to the planning of every other user, even admin ones. Steps to reproduce the behavior: 1. Create a new planning with \u0027eduardo.mozart\u0027 user (from \u0027IT\u0027 group that belongs to \u0027Super-admin\u0027) into it\u0027s personal planning at \u0027Assistance\u0027 \u003e \u0027Planning\u0027. 2. Copy the CalDAV url and use a CalDAV client (e.g. Thunderbird) to sync the planning with the provided URL. 3. Inform the username and password from any valid user (e.g. \u0027camila\u0027 from \u0027Proativa\u0027 group). 4. \u0027Camila\u0027 has read-only access to \u0027eduardo.mozart\u0027 personal planning. The same behavior happens to any group. E.g. \u0027Camila\u0027 has access to \u0027IT\u0027 group planning, even if she doesn\u0027t belong to this group and has a \u0027Self-service\u0027 profile permission). This issue is fixed in version 9.5.3. As a workaround, one can remove the `caldav.php` file to block access to CalDAV server."
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.7,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-862 Missing Authorization"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/glpi-project/glpi/security/advisories/GHSA-qmw3-87hr-5wgx",
              "refsource": "CONFIRM",
              "url": "https://github.com/glpi-project/glpi/security/advisories/GHSA-qmw3-87hr-5wgx"
            },
            {
              "name": "https://github.com/glpi-project/glpi/commit/527280358ec78988ac57e9809d2eb21fcd74caf7",
              "refsource": "MISC",
              "url": "https://github.com/glpi-project/glpi/commit/527280358ec78988ac57e9809d2eb21fcd74caf7"
            },
            {
              "name": "https://github.com/glpi-project/glpi/releases/tag/9.5.3",
              "refsource": "MISC",
              "url": "https://github.com/glpi-project/glpi/releases/tag/9.5.3"
            }
          ]
        },
        "source": {
          "advisory": "GHSA-qmw3-87hr-5wgx",
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2020-26212",
    "datePublished": "2020-11-25T17:05:17",
    "dateReserved": "2020-10-01T00:00:00",
    "dateUpdated": "2024-08-04T15:49:07.163Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2020-26212\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2020-11-25T17:15:12.073\",\"lastModified\":\"2020-12-07T21:29:55.167\",\"vulnStatus\":\"Analyzed\",\"descriptions\":[{\"lang\":\"en\",\"value\":\"GLPI stands for Gestionnaire Libre de Parc Informatique and it is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In GLPI before version 9.5.3, any authenticated user has read-only permissions to the planning of every other user, even admin ones. Steps to reproduce the behavior: 1. Create a new planning with \u0027eduardo.mozart\u0027 user (from \u0027IT\u0027 group that belongs to \u0027Super-admin\u0027) into it\u0027s personal planning at \u0027Assistance\u0027 \u003e \u0027Planning\u0027. 2. Copy the CalDAV url and use a CalDAV client (e.g. Thunderbird) to sync the planning with the provided URL. 3. Inform the username and password from any valid user (e.g. \u0027camila\u0027 from \u0027Proativa\u0027 group). 4. \u0027Camila\u0027 has read-only access to \u0027eduardo.mozart\u0027 personal planning. The same behavior happens to any group. E.g. \u0027Camila\u0027 has access to \u0027IT\u0027 group planning, even if she doesn\u0027t belong to this group and has a \u0027Self-service\u0027 profile permission). This issue is fixed in version 9.5.3. As a workaround, one can remove the `caldav.php` file to block access to CalDAV server.\"},{\"lang\":\"es\",\"value\":\"GLPI son las siglas de Gestionnaire Libre de Parc Informatique y es un paquete de software gratuito de gesti\u00f3n de activos y TI, que proporciona funciones de ITIL Service Desk, seguimiento de licencias y auditor\u00eda de software.\u0026#xa0;En GLPI antes de la versi\u00f3n 9.5.3, cualquier usuario autenticado tiene permisos de solo lectura para la planificaci\u00f3n de todos los dem\u00e1s usuarios, inclusive los administradores.\u0026#xa0;Pasos para reproducir el comportamiento: 1. Cree una nueva planificaci\u00f3n con el usuario \\\"eduardo.mozart\\\" (del grupo \\\"TI\\\" que pertenece a \\\"Super-admin\u0027\\\") en su planificaci\u00f3n personal en \\\"Assistance\\\" ) \\\"Planning\\\".\u0026#xa0;2. Copie la URL de CalDAV y utilice un cliente de CalDAV (por ejemplo, Thunderbird) para sincronizar la planificaci\u00f3n con la URL proporcionada.\u0026#xa0;3. Informar el nombre de usuario y la contrase\u00f1a de cualquier usuario v\u00e1lido (por ejemplo, \\\"camila\\\" del grupo \\\"Proativa\\\").\u0026#xa0;4. \\\"Camila\\\" tiene acceso de solo lectura a \\\"eduardo.mozart\\\"\u0026#xa0;planificaci\u00f3n personal.\u0026#xa0;El mismo comportamiento le ocurre a cualquier grupo.\u0026#xa0;Por ejemplo, \\\"Camila\\\" tiene acceso a la planificaci\u00f3n grupal de \\\"TI\\\", inclusive si no pertenece a este grupo y tiene un permiso de perfil de \\\"Self-service\\\").\u0026#xa0;Este problema se solucion\u00f3 en la versi\u00f3n 9.5.3.\u0026#xa0;Como soluci\u00f3n alternativa, se puede eliminar el archivo \\\"caldav.php\\\" para bloquear el acceso al servidor CalDAV\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\"},\"exploitabilityScore\":2.8,\"impactScore\":3.6},{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\",\"baseScore\":7.7,\"baseSeverity\":\"HIGH\"},\"exploitabilityScore\":3.1,\"impactScore\":4.0}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:S/C:P/I:N/A:N\",\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"SINGLE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\",\"baseScore\":4.0},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.0,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-862\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:glpi-project:glpi:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"9.5.3\",\"matchCriteriaId\":\"59250785-B5F7-4268-984A-B87FD4869A15\"}]}]}],\"references\":[{\"url\":\"https://github.com/glpi-project/glpi/commit/527280358ec78988ac57e9809d2eb21fcd74caf7\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/glpi-project/glpi/releases/tag/9.5.3\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Release Notes\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/glpi-project/glpi/security/advisories/GHSA-qmw3-87hr-5wgx\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Patch\",\"Third Party Advisory\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.