CVE-2024-43416

GLPI is a free asset and IT management software package. Starting in version 0.80 and prior to version 10.0.17, an unauthenticated user can use an application endpoint to check if an email address corresponds to a valid GLPI user. Version 10.0.17 fixes the issue.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/glpi-project/glpi/commit/9be1466053f829680db318f7e7e5880d2d789c6d	Patch
https://github.com/glpi-project/glpi/security/advisories/GHSA-j8gc-xpgr-2ww7	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:glpi-project:glpi:*:*:*:*:*:*:*:*

History

07 Jan 2025, 17:05

Type	Values Removed	Values Added
CPE		cpe:2.3:a:glpi-project:glpi::::::::
First Time		Glpi-project Glpi-project glpi
CWE		NVD-CWE-noinfo
References	~~() https://github.com/glpi-project/glpi/commit/9be1466053f829680db318f7e7e5880d2d789c6d -~~	() https://github.com/glpi-project/glpi/commit/9be1466053f829680db318f7e7e5880d2d789c6d - Patch
References	~~() https://github.com/glpi-project/glpi/security/advisories/GHSA-j8gc-xpgr-2ww7 -~~	() https://github.com/glpi-project/glpi/security/advisories/GHSA-j8gc-xpgr-2ww7 - Vendor Advisory

19 Nov 2024, 21:57

Type	Values Removed	Values Added
Summary		(es) GLPI es un paquete de software gratuito de gestión de activos y TI. A partir de la versión 0.80 y antes de la versión 10.0.17, un usuario no autenticado puede usar un endpoint de la aplicación para verificar si una dirección de correo electrónico corresponde a un usuario válido de GLPI. La versión 10.0.17 soluciona el problema.

18 Nov 2024, 17:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-11-18 17:15

Updated : 2025-01-07 17:05

NVD link : CVE-2024-43416

Mitre link : CVE-2024-43416

CVE.ORG link : CVE-2024-43416

JSON object : View

Products Affected

glpi-project

glpi

CWE

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

NVD-CWE-noinfo

{"id": "CVE-2024-43416", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 3.9}]}, "published": "2024-11-18T17:15:11.220", "references": [{"url": "https://github.com/glpi-project/glpi/commit/9be1466053f829680db318f7e7e5880d2d789c6d", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/glpi-project/glpi/security/advisories/GHSA-j8gc-xpgr-2ww7", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-200"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "GLPI is a free asset and IT management software package. Starting in version 0.80 and prior to version 10.0.17, an unauthenticated user can use an application endpoint to check if an email address corresponds to a valid GLPI user. Version 10.0.17 fixes the issue."}, {"lang": "es", "value": "GLPI es un paquete de software gratuito de gesti\u00f3n de activos y TI. A partir de la versi\u00f3n 0.80 y antes de la versi\u00f3n 10.0.17, un usuario no autenticado puede usar un endpoint de la aplicaci\u00f3n para verificar si una direcci\u00f3n de correo electr\u00f3nico corresponde a un usuario v\u00e1lido de GLPI. La versi\u00f3n 10.0.17 soluciona el problema."}], "lastModified": "2025-01-07T17:05:20.757", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:glpi-project:glpi:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "32ABC28B-4FBB-4935-84A6-099E9F11B796", "versionEndExcluding": "10.0.17", "versionStartIncluding": "0.80"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}