CVE-2021-32775 – This vulnerability in Combodo iTop allows non-a... (How to Fix)

Q: What is the severity of CVE-2021-32775?

CVE-2021-32775 has a CVSS score of 7.7 (HIGH). This vulnerability in Combodo iTop allows non-admin users to access sensitive class/field values through error messages in the GroupBy Dashlet. It affects all iTop installations running versions before 2.7.4 or 3.0.0, potentially exposing internal system data to unauthorized users.

📋 TL;DR

This vulnerability in Combodo iTop allows non-admin users to access sensitive class/field values through error messages in the GroupBy Dashlet. It affects all iTop installations running versions before 2.7.4 or 3.0.0, potentially exposing internal system data to unauthorized users.

💻 Affected Systems

Products:

Combodo iTop

Versions: All versions prior to 2.7.4 and 3.0.0

Operating Systems: Any OS running iTop

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all iTop installations with non-admin users and GroupBy Dashlet functionality enabled.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Non-admin users could access sensitive configuration data, user information, or system metadata that could facilitate further attacks or data exfiltration.

🟠

Likely Case

Unauthorized users gain access to internal system information that should be restricted, potentially violating data privacy and security policies.

🟢

If Mitigated

With proper access controls and monitoring, impact is limited to information disclosure without direct system compromise.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated non-admin access and interaction with GroupBy Dashlet error messages.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.7.4 or 3.0.0

Vendor Advisory: https://github.com/Combodo/iTop/security/advisories/GHSA-xh7w-rrp3-fhpq

Restart Required: Yes

Instructions:

1. Backup your iTop installation and database. 2. Download iTop version 2.7.4 or 3.0.0 from official sources. 3. Follow the iTop upgrade documentation for your version. 4. Restart web services after upgrade.

🔧 Temporary Workarounds

Disable GroupBy Dashlet

all

Remove or disable GroupBy Dashlet functionality to prevent exploitation.

Modify iTop configuration to disable GroupBy Dashlet modules

Restrict User Permissions

all

Tighten user permissions to limit access to dashlet functionality.

Review and modify user roles in iTop administration panel

🧯 If You Can't Patch

Implement strict access controls and monitor for unusual dashlet access patterns.
Deploy web application firewall rules to detect and block suspicious error message requests.

🔍 How to Verify

Check if Vulnerable:

Check iTop version in administration panel or via version.php file. If version is below 2.7.4 or 3.0.0, system is vulnerable.

Check Version:

Check iTop web interface administration panel or examine version.php file in installation directory.

Verify Fix Applied:

After upgrade, verify version is 2.7.4 or higher, and test that non-admin users cannot access sensitive data through GroupBy Dashlet error messages.

📡 Detection & Monitoring

Log Indicators:

Unusual error messages containing class/field data in web server logs
Multiple failed GroupBy Dashlet requests from non-admin users

Network Indicators:

HTTP requests to dashlet endpoints with error parameters from non-admin accounts

SIEM Query:

source="iTop_logs" AND (message="*GroupBy*error*" OR message="*dashlet*error*") AND user_role!="admin"

📊 Metadata

CVE ID: CVE-2021-32775

CVSS v3 Score: 7.7 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

CWE: CWE-209

Published: July 21, 2021

Last Updated: November 21, 2024

🔗 References

https://github.com/Combodo/iTop/security/advisories/GHSA-xh7w-rrp3-fhpq Third Party Advisory
https://github.com/Combodo/iTop/security/advisories/GHSA-xh7w-rrp3-fhpq Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-32775, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Itop by Combodo

Itop by Combodo

Itop by Combodo

Itop by Combodo

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable GroupBy Dashlet

Restrict User Permissions

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities