CVE-2023-22500 HIGH

CVE-2023-22500: glpi Unauthorized access to inventory files

Vendor Glpi-Project
Product glpi
Weakness CWE-863 · Incorrect authorization
Published January 25, 2023
Last update March 10, 2025

CVSS base score

7.5/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

GLPI is a Free Asset and IT Management Software package. Versions 10.0.0 and above, prior to 10.0.6 are vulnerable to Incorrect Authorization. This vulnerability allow unauthorized access to inventory files. Thus, if anonymous access to FAQ is allowed, inventory files are accessbile by unauthenticated users. This issue is patched in version 10.0.6. As a workaround, disable native inventory and delete inventory files from server (default location is `files/_inventory`).

Key dates

02Disclosure timeline

January 25, 2023 CVE published
March 10, 2025 Record updated