CVE-2023-41324
📋 TL;DR
This vulnerability in GLPI allows API users with read-only access to user resources to steal other users' accounts by exploiting improper privilege management. It affects GLPI installations with API access enabled. Users with read permissions can escalate privileges to take over accounts.
💻 Affected Systems
- GLPI (Gestionnaire Libre de Parc Informatique)
📦 What is this software?
Glpi by Glpi Project
⚠️ Risk & Real-World Impact
Worst Case
Attackers with API read access can compromise administrative accounts, leading to complete system takeover, data theft, and further network compromise.
Likely Case
Malicious or compromised users with API access can steal credentials of other users, potentially gaining elevated privileges and accessing sensitive data.
If Mitigated
With strict API access controls and network segmentation, impact is limited to specific user accounts rather than system-wide compromise.
🎯 Exploit Status
Exploitation requires authenticated API access with read permissions on user resources, making it accessible to authorized users.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 10.0.10
Vendor Advisory: https://github.com/glpi-project/glpi/security/advisories/GHSA-58wj-8jhx-jpm3
Restart Required: Yes
Instructions:
1. Backup your GLPI database and files. 2. Download GLPI 10.0.10 from official sources. 3. Follow GLPI upgrade documentation to apply the update. 4. Restart web server services. 5. Verify the update was successful.
🔧 Temporary Workarounds
Disable API Access
allTemporarily disable GLPI API access to prevent exploitation while planning upgrade.
Edit GLPI configuration to disable API endpoints or restrict access via web server configuration
🧯 If You Can't Patch
- Restrict API access to trusted IP addresses only using firewall rules or web server configuration
- Review and minimize API user permissions, ensuring no users have unnecessary read access to user resources
🔍 How to Verify
Check if Vulnerable:
Check GLPI version via web interface or by examining the GLPI installation files. Versions below 10.0.10 are vulnerable.Check Version:
Check GLPI version via web interface at Setup > General > Information, or examine inc/define.php file for version constant.Verify Fix Applied:
After upgrading, confirm version is 10.0.10 or higher via GLPI interface or version files.📡 Detection & Monitoring
Log Indicators:
- Unusual API access patterns to user resources
- Multiple failed login attempts followed by successful logins from different accounts
- API requests attempting to access user data beyond normal scope
Network Indicators:
- Unusual API traffic to user endpoints from non-admin accounts
- Spike in authentication-related API calls
SIEM Query:
source="glpi_logs" AND (api_access="user" OR endpoint="*/apirest.php*") AND (action="read" OR resource="user") | stats count by src_ip, user