CVE-2025-27147

The GLPI Inventory Plugin handles various types of tasks for GLPI agents, including network discovery and inventory (SNMP), software deployment, VMWare ESX host remote inventory, and data collection (files, Windows registry, WMI). Versions prior to 1.5.0 have an improper access control vulnerability. Version 1.5.0 fixes the vulnerability.

CVSS v3 8.2 HIGH

8.2^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.3 / Impact : 5.3

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact LOW

Availability Impact LOW

Scope CHANGED

References

Link	Resource
https://github.com/glpi-project/glpi-inventory-plugin/commit/aaeb26d98d07019375c25b56e60fffc195553545
https://github.com/glpi-project/glpi-inventory-plugin/security/advisories/GHSA-h6x9-jm98-cw7c

Configurations

No configuration.

History

27 Mar 2025, 16:45

Type	Values Removed	Values Added
Summary		(es) El complemento de inventario GLPI gestiona diversos tipos de tareas para los agentes GLPI, como el descubrimiento e inventario de red (SNMP), la implementación de software, el inventario remoto de hosts VMWare ESX y la recopilación de datos (archivos, registro de Windows, WMI). Las versiones anteriores a la 1.5.0 presentan una vulnerabilidad de control de acceso inadecuado. La versión 1.5.0 corrige esta vulnerabilidad.

25 Mar 2025, 15:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-03-25 15:15

Updated : 2025-03-27 16:45

NVD link : CVE-2025-27147

Mitre link : CVE-2025-27147

CVE.ORG link : CVE-2025-27147

JSON object : View

Products Affected

No product.

CWE

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CWE-73

External Control of File Name or Path

CWE-552

Files or Directories Accessible to External Parties

8.2 /10