Fedora Account System
Red Hat Associate
Red Hat Customer
In GLPI from version 9.1 and before version 9.4.6, any API user with READ right on User itemtype will have access to full list of users when querying apirest.php/User. The response contains: - All api_tokens which can be used to do privileges escalations or read/update/delete data normally non accessible to the current user. - All personal_tokens can display another users planning. Exploiting this vulnerability requires the api to be enabled, a technician account. It can be mitigated by adding an application token. This is fixed in version 9.4.6. Reference: https://github.com/glpi-project/glpi/security/advisories/GHSA-rf54-3r4w-4h55
Created glpi tracking bugs for this issue: Affects: epel-7 [bug 1834490] Affects: fedora-all [bug 1834489]
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.