CVE-2021-21255 :: Enginsight Vulnerability Database

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	5.8 MEDIUM	NETWORK	HIGH	LOW	CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:N/A:N
GitHub_M	CNA	5.8 MEDIUM	NETWORK	HIGH	LOW	CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:N/A:N
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 50%

Vendor	Product	Version
glpi-project	glpi	9.5.3

𝑥

= Vulnerable software versions

Ubuntu Releases

Ubuntu Product

Codename

glpi

noble	dne
mantic	dne
lunar	dne
kinetic	dne
jammy	dne
impish	dne
hirsute	dne
groovy	dne
focal	dne
bionic	dne
xenial	needed
trusty	dne

Common Weakness Enumeration

CWE-862 - Missing Authorization
The software does not perform an authorization check when an actor attempts to access a resource or perform an action.
CWE-639 - Authorization Bypass Through User-Controlled Key
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

References

https://github.com/glpi-project/glpi/commit/aade65b7f67d46f23d276a8acb0df70651c3b1dc

https://github.com/glpi-project/glpi/security/advisories/GHSA-v3m5-r3mx-ff9j

https://github.com/glpi-project/glpi/commit/aade65b7f67d46f23d276a8acb0df70651c3b1dc

https://github.com/glpi-project/glpi/security/advisories/GHSA-v3m5-r3mx-ff9j