Bug 1758980 (CVE-2019-14666)

Summary:	CVE-2019-14666 glpi: information disclosure in ajax/autocompletion.php
Product:	[Other] Security Response	Reporter:	Dhananjay Arunesh <darunesh>
Component:	vulnerability	Assignee:	Red Hat Product Security <security-response-team>
Status:	CLOSED UPSTREAM	QA Contact:
Severity:	medium	Docs Contact:
Priority:	medium
Version:	unspecified	CC:	fedora
Target Milestone:	---	Keywords:	Security
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:		Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2019-10-07 06:51:07 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:	1758981, 1758982
Bug Blocks:

Description Dhananjay Arunesh 2019-10-07 06:01:48 UTC

GLPI through 9.4.3 is prone to account takeover by abusing the ajax/autocompletion.php autocompletion feature. The lack of correct validation leads to recovery of the token generated via the password reset functionality, and thus an authenticated attacker can set an arbitrary password for any user. This vulnerability can be exploited to take control of admin account. This vulnerability could be also abused to obtain other sensitive fields like API keys or password hashes.

Reference:
https://github.com/glpi-project/glpi/security/advisories/GHSA-47hq-pfrr-jh5q
https://www.tarlogic.com/advisories/Tarlogic-2019-GPLI-Account-Takeover.txt

Comment 1 Dhananjay Arunesh 2019-10-07 06:02:04 UTC

Created glpi tracking bugs for this issue:

Affects: epel-7 [bug 1758982]
Affects: fedora-all [bug 1758981]

Comment 2 Product Security DevOps Team 2019-10-07 06:51:07 UTC

This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.