CVE-2021-32663: Unauthorized setup leads to SSRF in Combodo/iTop
First published: Tue Oct 19 2021(Updated: )
iTop is an open source web based IT Service Management tool. In affected versions an attacker can call the system setup without authentication. Given specific parameters this can lead to SSRF. This issue has been resolved in versions 2.6.5 and 2.7.5 and later
Credit: security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| iTop | <2.6.5 | |
| iTop | >=2.7.0<2.7.5 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2021-32663?
CVE-2021-32663 is classified as a critical vulnerability due to the potential for unauthenticated system setup access leading to SSRF.
How do I fix CVE-2021-32663?
To fix CVE-2021-32663, upgrade iTop to version 2.6.5, 2.7.5 or later.
What versions are affected by CVE-2021-32663?
Affected versions of iTop are prior to 2.6.5 and version 2.7.0 to 2.7.4 inclusively.
What attack vector is exploited in CVE-2021-32663?
CVE-2021-32663 can be exploited by an attacker invoking the system setup without authentication.
What could be the impact of CVE-2021-32663 on an organization?
The impact of CVE-2021-32663 could include unauthorized access to internal resources and potential data leakage due to SSRF exploitation.
- agent/type
- agent/softwarecombine
- agent/remedy
- collector/mitre-cve
- source/MITRE
- agent/author
- agent/severity
- agent/title
- agent/weakness
- agent/references
- agent/last-modified-date
- agent/description
- agent/first-publish-date
- agent/event
- agent/source
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/combodo
- canonical/itop
- version/itop/2.7.0