CVE-2021-21326
📋 TL;DR
This vulnerability in GLPI allows authenticated users to create tickets on behalf of other users via the self-service interface, even when delegatee systems are disabled. This affects GLPI installations before version 9.5.4, enabling unauthorized ticket creation that could lead to service desk abuse.
💻 Affected Systems
- GLPI
📦 What is this software?
Glpi by Glpi Project
⚠️ Risk & Real-World Impact
Worst Case
An attacker could create numerous tickets on behalf of legitimate users, causing service desk overload, attribution confusion, and potential denial of service to the IT support system.
Likely Case
Malicious users create tickets for other users without their knowledge, potentially causing confusion, wasting IT resources, or creating false support requests.
If Mitigated
With proper access controls and monitoring, impact is limited to minor service desk disruption that can be quickly identified and remediated.
🎯 Exploit Status
Exploitation requires authenticated access to the GLPI self-service interface. The vulnerability is straightforward to exploit once authenticated.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 9.5.4
Vendor Advisory: https://github.com/glpi-project/glpi/security/advisories/GHSA-vmj9-cg56-p7wh
Restart Required: No
Instructions:
1. Backup your GLPI database and files. 2. Download GLPI 9.5.4 or later from the official repository. 3. Follow the GLPI upgrade documentation to update your installation. 4. Verify the upgrade completed successfully.
🔧 Temporary Workarounds
Disable Self-Service Interface
allTemporarily disable the self-service interface until patching can be completed.
# Edit GLPI configuration to disable self-service
# Configuration location varies by installation
Enable Delegatee Systems
allEnable delegatee systems configuration which prevents this vulnerability.
# In GLPI configuration, set delegatee systems to enabled
# This may impact legitimate delegation functionality
🧯 If You Can't Patch
- Implement strict access controls to limit who can use the self-service interface
- Enable detailed logging of ticket creation events and monitor for unauthorized activity
🔍 How to Verify
Check if Vulnerable:
Check your GLPI version via the web interface (Setup > General > Information) or by examining the GLPI files. If version is below 9.5.4, you are vulnerable.Check Version:
Check GLPI web interface at Setup > General > Information, or examine the GLPI installation directory for version files.Verify Fix Applied:
After upgrading, verify the version shows 9.5.4 or higher. Test that authenticated users cannot create tickets for other users when delegatee systems are disabled.📡 Detection & Monitoring
Log Indicators:
- Multiple ticket creations from single user account
- Ticket creation events where requester differs from logged-in user
- Unusual ticket creation patterns outside normal business hours
Network Indicators:
- HTTP POST requests to ticket creation endpoints with modified user parameters
SIEM Query:
source="glpi_logs" AND (event="ticket_creation" AND user_id != requester_id)