Executive Summary

This vulnerability exists in GLPI, an asset and IT management software, where an authenticated user with config READ permission can read a specific asset object without proper authorization.

It is classified as a missing authorization issue (CWE-862), meaning that the software does not correctly restrict access to certain asset data.

The issue affects GLPI versions starting from 0.78 up to versions before 10.0.25 and 11.0.7, and it has been patched in version 11.0.7.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows an authenticated user with config READ permission to access asset data that they should not be authorized to see.

Such unauthorized access could lead to exposure of sensitive asset information, potentially compromising the confidentiality of IT asset management data.

The severity is rated as low, but it still represents a risk of unauthorized data disclosure within the system.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability, upgrade GLPI to version 11.0.7 or 10.0.25 or later, where the issue has been patched.

Ensure that only trusted authenticated users have config READ permissions to limit exposure.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows an authenticated user with config READ permission to read a specific asset object without proper authorization, which could lead to unauthorized access to sensitive asset data.

Such unauthorized access to asset information may impact compliance with data protection standards and regulations like GDPR and HIPAA, which require strict controls on access to sensitive information.

However, the severity is rated as low and the issue has been patched in version 11.0.7, so upgrading mitigates the compliance risk.

Useful 0 Not Useful 0