Skip to content

Able to read any token through API user endpoint

High
trasher published GHSA-rf54-3r4w-4h55 May 5, 2020

Package

No package listed

Affected versions

> 9.1

Patched versions

9.4.6

Description

Any API user with READ right on User itemtype will have access to full list of users when querying apirest.php/User.

This is normal, but the answer contains:

  • All api_token : can be used to do privileges escalations or read/update/delete data normally non accessible to the current user
  • All personal_token: can display others user's planning.

The first is very high issue but requires:

  • api enabled
  • a technician account
  • can be mitigated by adding an application token

Impact

All GLPI version since since 9.1 (addition of REST/XmlRPC api)

Confirmed on:

  • 9.5/bugfixes
  • 9.4/bugfixes
  • 9.3/bugfixes

Patches

Fixed in 9f1117d

Workarounds

possible solutions :

  • disable api
  • disable user READ for the profiles
  • add temporary app token to prevents users to test API without knowing the application token

For more information

If you have any questions or comments about this advisory:

Severity

High

CVE ID

CVE-2020-11033

Weaknesses

No CWEs