gsd-2020-26212
Vulnerability from gsd
Modified
2023-12-13 01:22
Details
GLPI stands for Gestionnaire Libre de Parc Informatique and it is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In GLPI before version 9.5.3, any authenticated user has read-only permissions to the planning of every other user, even admin ones. Steps to reproduce the behavior: 1. Create a new planning with 'eduardo.mozart' user (from 'IT' group that belongs to 'Super-admin') into it's personal planning at 'Assistance' > 'Planning'. 2. Copy the CalDAV url and use a CalDAV client (e.g. Thunderbird) to sync the planning with the provided URL. 3. Inform the username and password from any valid user (e.g. 'camila' from 'Proativa' group). 4. 'Camila' has read-only access to 'eduardo.mozart' personal planning. The same behavior happens to any group. E.g. 'Camila' has access to 'IT' group planning, even if she doesn't belong to this group and has a 'Self-service' profile permission). This issue is fixed in version 9.5.3. As a workaround, one can remove the `caldav.php` file to block access to CalDAV server.
Aliases
Aliases
CVE-2020-26212


To clipboard 

{
  "GSD": {
    "alias": "CVE-2020-26212",
    "description": "GLPI stands for Gestionnaire Libre de Parc Informatique and it is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In GLPI before version 9.5.3, any authenticated user has read-only permissions to the planning of every other user, even admin ones. Steps to reproduce the behavior: 1. Create a new planning with \u0027eduardo.mozart\u0027 user (from \u0027IT\u0027 group that belongs to \u0027Super-admin\u0027) into it\u0027s personal planning at \u0027Assistance\u0027 \u003e \u0027Planning\u0027. 2. Copy the CalDAV url and use a CalDAV client (e.g. Thunderbird) to sync the planning with the provided URL. 3. Inform the username and password from any valid user (e.g. \u0027camila\u0027 from \u0027Proativa\u0027 group). 4. \u0027Camila\u0027 has read-only access to \u0027eduardo.mozart\u0027 personal planning. The same behavior happens to any group. E.g. \u0027Camila\u0027 has access to \u0027IT\u0027 group planning, even if she doesn\u0027t belong to this group and has a \u0027Self-service\u0027 profile permission). This issue is fixed in version 9.5.3. As a workaround, one can remove the `caldav.php` file to block access to CalDAV server.",
    "id": "GSD-2020-26212"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2020-26212"
      ],
      "details": "GLPI stands for Gestionnaire Libre de Parc Informatique and it is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In GLPI before version 9.5.3, any authenticated user has read-only permissions to the planning of every other user, even admin ones. Steps to reproduce the behavior: 1. Create a new planning with \u0027eduardo.mozart\u0027 user (from \u0027IT\u0027 group that belongs to \u0027Super-admin\u0027) into it\u0027s personal planning at \u0027Assistance\u0027 \u003e \u0027Planning\u0027. 2. Copy the CalDAV url and use a CalDAV client (e.g. Thunderbird) to sync the planning with the provided URL. 3. Inform the username and password from any valid user (e.g. \u0027camila\u0027 from \u0027Proativa\u0027 group). 4. \u0027Camila\u0027 has read-only access to \u0027eduardo.mozart\u0027 personal planning. The same behavior happens to any group. E.g. \u0027Camila\u0027 has access to \u0027IT\u0027 group planning, even if she doesn\u0027t belong to this group and has a \u0027Self-service\u0027 profile permission). This issue is fixed in version 9.5.3. As a workaround, one can remove the `caldav.php` file to block access to CalDAV server.",
      "id": "GSD-2020-26212",
      "modified": "2023-12-13T01:22:08.627377Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2020-26212",
        "STATE": "PUBLIC",
        "TITLE": "Any GLPI CalDAV calendars is read-only for every authenticated user"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "glpi",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "\u003c 9.5.3"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "glpi-project"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "GLPI stands for Gestionnaire Libre de Parc Informatique and it is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In GLPI before version 9.5.3, any authenticated user has read-only permissions to the planning of every other user, even admin ones. Steps to reproduce the behavior: 1. Create a new planning with \u0027eduardo.mozart\u0027 user (from \u0027IT\u0027 group that belongs to \u0027Super-admin\u0027) into it\u0027s personal planning at \u0027Assistance\u0027 \u003e \u0027Planning\u0027. 2. Copy the CalDAV url and use a CalDAV client (e.g. Thunderbird) to sync the planning with the provided URL. 3. Inform the username and password from any valid user (e.g. \u0027camila\u0027 from \u0027Proativa\u0027 group). 4. \u0027Camila\u0027 has read-only access to \u0027eduardo.mozart\u0027 personal planning. The same behavior happens to any group. E.g. \u0027Camila\u0027 has access to \u0027IT\u0027 group planning, even if she doesn\u0027t belong to this group and has a \u0027Self-service\u0027 profile permission). This issue is fixed in version 9.5.3. As a workaround, one can remove the `caldav.php` file to block access to CalDAV server."
          }
        ]
      },
      "impact": {
        "cvss": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 7.7,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
          "version": "3.1"
        }
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "CWE-862 Missing Authorization"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/glpi-project/glpi/security/advisories/GHSA-qmw3-87hr-5wgx",
            "refsource": "CONFIRM",
            "url": "https://github.com/glpi-project/glpi/security/advisories/GHSA-qmw3-87hr-5wgx"
          },
          {
            "name": "https://github.com/glpi-project/glpi/commit/527280358ec78988ac57e9809d2eb21fcd74caf7",
            "refsource": "MISC",
            "url": "https://github.com/glpi-project/glpi/commit/527280358ec78988ac57e9809d2eb21fcd74caf7"
          },
          {
            "name": "https://github.com/glpi-project/glpi/releases/tag/9.5.3",
            "refsource": "MISC",
            "url": "https://github.com/glpi-project/glpi/releases/tag/9.5.3"
          }
        ]
      },
      "source": {
        "advisory": "GHSA-qmw3-87hr-5wgx",
        "discovery": "UNKNOWN"
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:glpi-project:glpi:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "9.5.3",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2020-26212"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "GLPI stands for Gestionnaire Libre de Parc Informatique and it is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In GLPI before version 9.5.3, any authenticated user has read-only permissions to the planning of every other user, even admin ones. Steps to reproduce the behavior: 1. Create a new planning with \u0027eduardo.mozart\u0027 user (from \u0027IT\u0027 group that belongs to \u0027Super-admin\u0027) into it\u0027s personal planning at \u0027Assistance\u0027 \u003e \u0027Planning\u0027. 2. Copy the CalDAV url and use a CalDAV client (e.g. Thunderbird) to sync the planning with the provided URL. 3. Inform the username and password from any valid user (e.g. \u0027camila\u0027 from \u0027Proativa\u0027 group). 4. \u0027Camila\u0027 has read-only access to \u0027eduardo.mozart\u0027 personal planning. The same behavior happens to any group. E.g. \u0027Camila\u0027 has access to \u0027IT\u0027 group planning, even if she doesn\u0027t belong to this group and has a \u0027Self-service\u0027 profile permission). This issue is fixed in version 9.5.3. As a workaround, one can remove the `caldav.php` file to block access to CalDAV server."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-862"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/glpi-project/glpi/security/advisories/GHSA-qmw3-87hr-5wgx",
              "refsource": "CONFIRM",
              "tags": [
                "Exploit",
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://github.com/glpi-project/glpi/security/advisories/GHSA-qmw3-87hr-5wgx"
            },
            {
              "name": "https://github.com/glpi-project/glpi/releases/tag/9.5.3",
              "refsource": "MISC",
              "tags": [
                "Release Notes",
                "Third Party Advisory"
              ],
              "url": "https://github.com/glpi-project/glpi/releases/tag/9.5.3"
            },
            {
              "name": "https://github.com/glpi-project/glpi/commit/527280358ec78988ac57e9809d2eb21fcd74caf7",
              "refsource": "MISC",
              "tags": [
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://github.com/glpi-project/glpi/commit/527280358ec78988ac57e9809d2eb21fcd74caf7"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "SINGLE",
            "availabilityImpact": "NONE",
            "baseScore": 4.0,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "NONE",
            "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
            "version": "2.0"
          },
          "exploitabilityScore": 8.0,
          "impactScore": 2.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "exploitabilityScore": 2.8,
          "impactScore": 3.6
        }
      },
      "lastModifiedDate": "2020-12-07T21:29Z",
      "publishedDate": "2020-11-25T17:15Z"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.