CVE-2021-39211 - OpenCVE

GLPI is a free Asset and IT management software package. Starting in version 9.2 and prior to version 9.5.6, the telemetry endpoint discloses GLPI and server information. This issue is fixed in version 9.5.6. As a workaround, remove the file `ajax/telemetry.php`, which is not needed for usual functions of GLPI.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:N/C:P/I:N/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Glpi-project	Glpi

Configuration 1 [-]

cpe:2.3:a:glpi-project:glpi:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/glpi-project/glpi/releases/tag/9.5.6
https://github.com/glpi-project/glpi/security/advisories/GHSA-xx66-v3g5-w825

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2021-09-15T16:55:10

Updated: 2024-08-04T01:58:18.247Z

Reserved: 2021-08-16T00:00:00

Link: CVE-2021-39211

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2021-09-15T17:15:10.267

Modified: 2022-08-05T11:00:24.913

Link: CVE-2021-39211

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "glpi", "vendor": "glpi-project", "versions": [{"status": "affected", "version": ">= 9.2, < 9.5.6"}]}], "descriptions": [{"lang": "en", "value": "GLPI is a free Asset and IT management software package. Starting in version 9.2 and prior to version 9.5.6, the telemetry endpoint discloses GLPI and server information. This issue is fixed in version 9.5.6. As a workaround, remove the file `ajax/telemetry.php`, which is not needed for usual functions of GLPI."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-09-15T16:55:10", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://github.com/glpi-project/glpi/releases/tag/9.5.6"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/glpi-project/glpi/security/advisories/GHSA-xx66-v3g5-w825"}], "source": {"advisory": "GHSA-xx66-v3g5-w825", "discovery": "UNKNOWN"}, "title": "Disclosure of GLPI and server information in telemetry endpoint", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2021-39211", "STATE": "PUBLIC", "TITLE": "Disclosure of GLPI and server information in telemetry endpoint"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "glpi", "version": {"version_data": [{"version_value": ">= 9.2, < 9.5.6"}]}}]}, "vendor_name": "glpi-project"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "GLPI is a free Asset and IT management software package. Starting in version 9.2 and prior to version 9.5.6, the telemetry endpoint discloses GLPI and server information. This issue is fixed in version 9.5.6. As a workaround, remove the file `ajax/telemetry.php`, which is not needed for usual functions of GLPI."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"}]}]}, "references": {"reference_data": [{"name": "https://github.com/glpi-project/glpi/releases/tag/9.5.6", "refsource": "MISC", "url": "https://github.com/glpi-project/glpi/releases/tag/9.5.6"}, {"name": "https://github.com/glpi-project/glpi/security/advisories/GHSA-xx66-v3g5-w825", "refsource": "CONFIRM", "url": "https://github.com/glpi-project/glpi/security/advisories/GHSA-xx66-v3g5-w825"}]}, "source": {"advisory": "GHSA-xx66-v3g5-w825", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T01:58:18.247Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/glpi-project/glpi/releases/tag/9.5.6"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/glpi-project/glpi/security/advisories/GHSA-xx66-v3g5-w825"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2021-39211", "datePublished": "2021-09-15T16:55:10", "dateReserved": "2021-08-16T00:00:00", "dateUpdated": "2024-08-04T01:58:18.247Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:glpi-project:glpi:*:*:*:*:*:*:*:*", "matchCriteriaId": "27D39680-BCCB-49B6-9465-9D956BCE2DC8", "versionEndExcluding": "9.5.6", "versionStartIncluding": "9.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "GLPI is a free Asset and IT management software package. Starting in version 9.2 and prior to version 9.5.6, the telemetry endpoint discloses GLPI and server information. This issue is fixed in version 9.5.6. As a workaround, remove the file `ajax/telemetry.php`, which is not needed for usual functions of GLPI."}, {"lang": "es", "value": "GLPI es un paquete de software gratuito de administraci\u00f3n de activos y TI. A partir de la versi\u00f3n 9.2 y versiones anteriores a 9.5.6, el endpoint de telemetr\u00eda divulga informaci\u00f3n de GLPI y del servidor. Este problema es corregido en versi\u00f3n 9.5.6. Como soluci\u00f3n, elimine el archivo \"ajax/telemetry.php\", que no es necesario para las funciones habituales de GLPI"}], "id": "CVE-2021-39211", "lastModified": "2022-08-05T11:00:24.913", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2021-09-15T17:15:10.267", "references": [{"source": "security-advisories@github.com", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://github.com/glpi-project/glpi/releases/tag/9.5.6"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/glpi-project/glpi/security/advisories/GHSA-xx66-v3g5-w825"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-200"}], "source": "security-advisories@github.com", "type": "Secondary"}]}