GSD-2020-26212

Vulnerability from gsd - Updated: 2023-12-13 01:22
Details
GLPI stands for Gestionnaire Libre de Parc Informatique and it is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In GLPI before version 9.5.3, any authenticated user has read-only permissions to the planning of every other user, even admin ones. Steps to reproduce the behavior: 1. Create a new planning with 'eduardo.mozart' user (from 'IT' group that belongs to 'Super-admin') into it's personal planning at 'Assistance' > 'Planning'. 2. Copy the CalDAV url and use a CalDAV client (e.g. Thunderbird) to sync the planning with the provided URL. 3. Inform the username and password from any valid user (e.g. 'camila' from 'Proativa' group). 4. 'Camila' has read-only access to 'eduardo.mozart' personal planning. The same behavior happens to any group. E.g. 'Camila' has access to 'IT' group planning, even if she doesn't belong to this group and has a 'Self-service' profile permission). This issue is fixed in version 9.5.3. As a workaround, one can remove the `caldav.php` file to block access to CalDAV server.
Aliases
Aliases
CVE-2020-26212
To clipboard 

{
  "GSD": {
    "alias": "CVE-2020-26212",
    "description": "GLPI stands for Gestionnaire Libre de Parc Informatique and it is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In GLPI before version 9.5.3, any authenticated user has read-only permissions to the planning of every other user, even admin ones. Steps to reproduce the behavior: 1. Create a new planning with \u0027eduardo.mozart\u0027 user (from \u0027IT\u0027 group that belongs to \u0027Super-admin\u0027) into it\u0027s personal planning at \u0027Assistance\u0027 \u003e \u0027Planning\u0027. 2. Copy the CalDAV url and use a CalDAV client (e.g. Thunderbird) to sync the planning with the provided URL. 3. Inform the username and password from any valid user (e.g. \u0027camila\u0027 from \u0027Proativa\u0027 group). 4. \u0027Camila\u0027 has read-only access to \u0027eduardo.mozart\u0027 personal planning. The same behavior happens to any group. E.g. \u0027Camila\u0027 has access to \u0027IT\u0027 group planning, even if she doesn\u0027t belong to this group and has a \u0027Self-service\u0027 profile permission). This issue is fixed in version 9.5.3. As a workaround, one can remove the `caldav.php` file to block access to CalDAV server.",
    "id": "GSD-2020-26212"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2020-26212"
      ],
      "details": "GLPI stands for Gestionnaire Libre de Parc Informatique and it is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In GLPI before version 9.5.3, any authenticated user has read-only permissions to the planning of every other user, even admin ones. Steps to reproduce the behavior: 1. Create a new planning with \u0027eduardo.mozart\u0027 user (from \u0027IT\u0027 group that belongs to \u0027Super-admin\u0027) into it\u0027s personal planning at \u0027Assistance\u0027 \u003e \u0027Planning\u0027. 2. Copy the CalDAV url and use a CalDAV client (e.g. Thunderbird) to sync the planning with the provided URL. 3. Inform the username and password from any valid user (e.g. \u0027camila\u0027 from \u0027Proativa\u0027 group). 4. \u0027Camila\u0027 has read-only access to \u0027eduardo.mozart\u0027 personal planning. The same behavior happens to any group. E.g. \u0027Camila\u0027 has access to \u0027IT\u0027 group planning, even if she doesn\u0027t belong to this group and has a \u0027Self-service\u0027 profile permission). This issue is fixed in version 9.5.3. As a workaround, one can remove the `caldav.php` file to block access to CalDAV server.",
      "id": "GSD-2020-26212",
      "modified": "2023-12-13T01:22:08.627377Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2020-26212",
        "STATE": "PUBLIC",
        "TITLE": "Any GLPI CalDAV calendars is read-only for every authenticated user"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "glpi",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "\u003c 9.5.3"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "glpi-project"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "GLPI stands for Gestionnaire Libre de Parc Informatique and it is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In GLPI before version 9.5.3, any authenticated user has read-only permissions to the planning of every other user, even admin ones. Steps to reproduce the behavior: 1. Create a new planning with \u0027eduardo.mozart\u0027 user (from \u0027IT\u0027 group that belongs to \u0027Super-admin\u0027) into it\u0027s personal planning at \u0027Assistance\u0027 \u003e \u0027Planning\u0027. 2. Copy the CalDAV url and use a CalDAV client (e.g. Thunderbird) to sync the planning with the provided URL. 3. Inform the username and password from any valid user (e.g. \u0027camila\u0027 from \u0027Proativa\u0027 group). 4. \u0027Camila\u0027 has read-only access to \u0027eduardo.mozart\u0027 personal planning. The same behavior happens to any group. E.g. \u0027Camila\u0027 has access to \u0027IT\u0027 group planning, even if she doesn\u0027t belong to this group and has a \u0027Self-service\u0027 profile permission). This issue is fixed in version 9.5.3. As a workaround, one can remove the `caldav.php` file to block access to CalDAV server."
          }
        ]
      },
      "impact": {
        "cvss": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 7.7,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
          "version": "3.1"
        }
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "CWE-862 Missing Authorization"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/glpi-project/glpi/security/advisories/GHSA-qmw3-87hr-5wgx",
            "refsource": "CONFIRM",
            "url": "https://github.com/glpi-project/glpi/security/advisories/GHSA-qmw3-87hr-5wgx"
          },
          {
            "name": "https://github.com/glpi-project/glpi/commit/527280358ec78988ac57e9809d2eb21fcd74caf7",
            "refsource": "MISC",
            "url": "https://github.com/glpi-project/glpi/commit/527280358ec78988ac57e9809d2eb21fcd74caf7"
          },
          {
            "name": "https://github.com/glpi-project/glpi/releases/tag/9.5.3",
            "refsource": "MISC",
            "url": "https://github.com/glpi-project/glpi/releases/tag/9.5.3"
          }
        ]
      },
      "source": {
        "advisory": "GHSA-qmw3-87hr-5wgx",
        "discovery": "UNKNOWN"
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:glpi-project:glpi:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "9.5.3",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2020-26212"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "GLPI stands for Gestionnaire Libre de Parc Informatique and it is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In GLPI before version 9.5.3, any authenticated user has read-only permissions to the planning of every other user, even admin ones. Steps to reproduce the behavior: 1. Create a new planning with \u0027eduardo.mozart\u0027 user (from \u0027IT\u0027 group that belongs to \u0027Super-admin\u0027) into it\u0027s personal planning at \u0027Assistance\u0027 \u003e \u0027Planning\u0027. 2. Copy the CalDAV url and use a CalDAV client (e.g. Thunderbird) to sync the planning with the provided URL. 3. Inform the username and password from any valid user (e.g. \u0027camila\u0027 from \u0027Proativa\u0027 group). 4. \u0027Camila\u0027 has read-only access to \u0027eduardo.mozart\u0027 personal planning. The same behavior happens to any group. E.g. \u0027Camila\u0027 has access to \u0027IT\u0027 group planning, even if she doesn\u0027t belong to this group and has a \u0027Self-service\u0027 profile permission). This issue is fixed in version 9.5.3. As a workaround, one can remove the `caldav.php` file to block access to CalDAV server."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-862"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/glpi-project/glpi/security/advisories/GHSA-qmw3-87hr-5wgx",
              "refsource": "CONFIRM",
              "tags": [
                "Exploit",
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://github.com/glpi-project/glpi/security/advisories/GHSA-qmw3-87hr-5wgx"
            },
            {
              "name": "https://github.com/glpi-project/glpi/releases/tag/9.5.3",
              "refsource": "MISC",
              "tags": [
                "Release Notes",
                "Third Party Advisory"
              ],
              "url": "https://github.com/glpi-project/glpi/releases/tag/9.5.3"
            },
            {
              "name": "https://github.com/glpi-project/glpi/commit/527280358ec78988ac57e9809d2eb21fcd74caf7",
              "refsource": "MISC",
              "tags": [
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://github.com/glpi-project/glpi/commit/527280358ec78988ac57e9809d2eb21fcd74caf7"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "SINGLE",
            "availabilityImpact": "NONE",
            "baseScore": 4.0,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "NONE",
            "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
            "version": "2.0"
          },
          "exploitabilityScore": 8.0,
          "impactScore": 2.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "exploitabilityScore": 2.8,
          "impactScore": 3.6
        }
      },
      "lastModifiedDate": "2020-12-07T21:29Z",
      "publishedDate": "2020-11-25T17:15Z"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.