Headline
CVE-2021-39211
GLPI is a free Asset and IT management software package. Starting in version 9.2 and prior to version 9.5.6, the telemetry endpoint discloses GLPI and server information. This issue is fixed in version 9.5.6. As a workaround, remove the file ajax/telemetry.php, which is not needed for usual functions of GLPI.
Disclosure of GLPI and server informations in telemetry endpoint
Moderate
trasher published GHSA-xx66-v3g5-w825
Sep 15, 2021
Package
glpi (glpi)
Affected versions
>= 9.2
Patched versions
9.5.6
Description
Impact
All GLPI since 9.2
Patches
Upgrade to 9.5.6
Workarounds
remove the file ajax/telemetry.php (not needed for usual functions of GLPI)
For more information
If you have any questions or comments about this advisory:
- Email us at [email protected]
Severity
Moderate
CVE ID
CVE-2021-39211
Weaknesses
No CWEs