What is CVE-2020-11033?

CVE-2020-11033 is a vulnerability in GLPI versions 9.1 to 9.4.6 that allows any API user with READ right on User itemtype to access the full list of users.

What is the severity of CVE-2020-11033?

The severity of CVE-2020-11033 is high with a CVSS score of 7.2.

How does CVE-2020-11033 affect GLPI?

CVE-2020-11033 affects GLPI versions 9.1 to 9.4.6.

How can an API user exploit CVE-2020-11033?

An API user with READ right on User itemtype can exploit CVE-2020-11033 to access the full list of users and potentially perform privilege escalations or manipulate data.

Where can I find more information about CVE-2020-11033?

You can find more information about CVE-2020-11033 in the GitHub security advisory (https://github.com/glpi-project/glpi/security/advisories/GHSA-rf54-3r4w-4h55) and the Fedora Project mailing list announcements (https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5WQMONZRWLWOXMHMYWR7A5Q5JJERPMVC/ and https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Q4BG2UTINBVV7MTJRXKBQ26GV2UINA6L/).

Vulnerability/
CVE-2020-11033

high

7.2

CWE

200

5/5/2020

4/8/2024

CVE-2020-11033: Able to read any token through API user endpoint in GLPI

First published: Tue May 05 2020(Updated: )

In GLPI from version 9.1 and before version 9.4.6, any API user with READ right on User itemtype will have access to full list of users when querying apirest.php/User. The response contains: - All api_tokens which can be used to do privileges escalations or read/update/delete data normally non accessible to the current user. - All personal_tokens can display another users planning. Exploiting this vulnerability requires the api to be enabled, a technician account. It can be mitigated by adding an application token. This is fixed in version 9.4.6.

Credit: security-advisories@github.com

Affected Software	Affected Version	How to fix
Teclib GLPI	>=9.1<9.4.6
Fedora	=31
Fedora	=32

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is CVE-2020-11033?
CVE-2020-11033 is a vulnerability in GLPI versions 9.1 to 9.4.6 that allows any API user with READ right on User itemtype to access the full list of users.
What is the severity of CVE-2020-11033?
The severity of CVE-2020-11033 is high with a CVSS score of 7.2.
How does CVE-2020-11033 affect GLPI?
CVE-2020-11033 affects GLPI versions 9.1 to 9.4.6.
How can an API user exploit CVE-2020-11033?
An API user with READ right on User itemtype can exploit CVE-2020-11033 to access the full list of users and potentially perform privilege escalations or manipulate data.
Where can I find more information about CVE-2020-11033?
You can find more information about CVE-2020-11033 in the GitHub security advisory (https://github.com/glpi-project/glpi/security/advisories/GHSA-rf54-3r4w-4h55) and the Fedora Project mailing list announcements (https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5WQMONZRWLWOXMHMYWR7A5Q5JJERPMVC/ and https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Q4BG2UTINBVV7MTJRXKBQ26GV2UINA6L/).

agent/type
collector/mitre-cve
source/MITRE
agent/weakness
agent/author
agent/last-modified-date
agent/references
agent/severity
agent/title
agent/description
agent/first-publish-date
agent/event
agent/source
agent/softwarecombine
agent/tags
collector/nvd-index
agent/software-canonical-lookup-request
vendor/glpi-project
canonical/teclib glpi
version/teclib glpi/9.1
vendor/fedoraproject
canonical/fedora
version/fedora/31
version/fedora/32