Any API user with READ right on User
itemtype will have access to full list of users when querying apirest.php/User
.
This is normal, but the answer contains:
- All
api_token
: can be used to do privileges escalations or read/update/delete data normally non accessible to the current user
- All
personal_token
: can display others user's planning.
The first is very high issue but requires:
- api enabled
- a technician account
- can be mitigated by adding an application token
Impact
All GLPI version since since 9.1 (addition of REST/XmlRPC api)
Confirmed on:
- 9.5/bugfixes
- 9.4/bugfixes
- 9.3/bugfixes
Patches
Fixed in 9f1117d
Workarounds
possible solutions :
- disable api
- disable user READ for the profiles
- add temporary app token to prevents users to test API without knowing the application token
For more information
If you have any questions or comments about this advisory:
Any API user with READ right on
User
itemtype will have access to full list of users when queryingapirest.php/User
.This is normal, but the answer contains:
api_token
: can be used to do privileges escalations or read/update/delete data normally non accessible to the current userpersonal_token
: can display others user's planning.The first is very high issue but requires:
Impact
All GLPI version since since 9.1 (addition of REST/XmlRPC api)
Confirmed on:
Patches
Fixed in 9f1117d
Workarounds
possible solutions :
For more information
If you have any questions or comments about this advisory: