CVE-2025-53360
📋 TL;DR
The Database Inventory Plugin for GLPI allows any authenticated user to send requests to inventory agents, potentially enabling unauthorized access to database inventory data. This affects all GLPI installations using the plugin before version 1.0.3. The vulnerability stems from improper access control (CWE-284).
💻 Affected Systems
- GLPI Database Inventory Plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
An authenticated attacker could manipulate inventory agents to collect sensitive database information, modify inventory data, or potentially use the agent communication channel for further attacks.
Likely Case
Unauthorized users accessing database inventory information they shouldn't have permission to view, potentially exposing database names, configurations, or other metadata.
If Mitigated
With proper network segmentation and least-privilege authentication, impact is limited to authorized users accessing data within their permission scope.
🎯 Exploit Status
Exploitation requires authenticated access to GLPI. The vulnerability is in the access control mechanism, making exploitation straightforward for authenticated users.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.0.3
Vendor Advisory: https://github.com/pluginsGLPI/databaseinventory/security/advisories/GHSA-5j5j-xr62-jr58
Restart Required: No
Instructions:
1. Backup your GLPI installation and database. 2. Update the Database Inventory Plugin to version 1.0.3 via GLPI's plugin management interface or manual installation. 3. Verify the plugin version shows 1.0.3 in GLPI administration.
🔧 Temporary Workarounds
Disable Database Inventory Plugin
allTemporarily disable the vulnerable plugin until patching is possible
Navigate to GLPI Administration > Plugins > Database Inventory > Disable
Restrict User Access
allLimit which users can authenticate to GLPI while vulnerable
Review and restrict user accounts in GLPI user management
🧯 If You Can't Patch
- Implement network segmentation to isolate GLPI servers from sensitive database infrastructure
- Enforce strict authentication controls and audit all authenticated user activity
🔍 How to Verify
Check if Vulnerable:
Check the plugin version in GLPI administration under Plugins > Database Inventory. If version is below 1.0.3, the system is vulnerable.Check Version:
Check in GLPI web interface: Administration > Plugins > Database InventoryVerify Fix Applied:
Verify the plugin shows version 1.0.3 in GLPI administration and test that only authorized users can access inventory agent functions.📡 Detection & Monitoring
Log Indicators:
- Unauthorized user attempts to access inventory agent endpoints
- Multiple inventory requests from non-admin users
Network Indicators:
- Unexpected traffic from GLPI to database inventory agents
- Inventory agent communications from unauthorized source IPs
SIEM Query:
source="glpi_logs" AND (event="inventory_request" OR event="agent_communication") AND user_role!="admin"🔗 References
- https://github.com/pluginsGLPI/databaseinventory/commit/0a376a0c6f4142e11ea518faefe95c01b176fd87
- https://github.com/pluginsGLPI/databaseinventory/commit/7dcad1efb6ee84e9cffb3b446cdb47dc0be1091e
- https://github.com/pluginsGLPI/databaseinventory/commit/e9d4474acdab4141a6f4798cdd406b0d04480269
- https://github.com/pluginsGLPI/databaseinventory/security/advisories/GHSA-5j5j-xr62-jr58
