CVE-2023-22500: 
GLPI vulnerability analysis and mitigation

GLPI, a Free Asset and IT Management Software package, was found to contain a vulnerability (CVE-2023-22500) affecting versions 10.0.0 and above, prior to 10.0.6. The vulnerability was related to incorrect authorization that allowed unauthorized access to inventory files. When anonymous access to FAQ was enabled, inventory files became accessible to unauthenticated users (GitHub Advisory, NVD).

The vulnerability was classified as an Incorrect Authorization issue (CWE-863) with a CVSS v3.1 base score of 7.5 (High). The vulnerability vector string is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, indicating that it can be exploited over the network, requires low attack complexity, needs no privileges or user interaction, and primarily impacts confidentiality (NVD).

The primary impact of this vulnerability is the potential exposure of sensitive inventory files to unauthorized users. When exploited, the vulnerability allows unauthenticated users to access inventory information if anonymous FAQ access is enabled, potentially leading to the disclosure of sensitive system and asset information (GitHub Advisory).

The vulnerability was patched in GLPI version 10.0.6. For users unable to update immediately, a workaround is available: disable native inventory and delete inventory files from the server (default location is files/_inventory) (GitHub Advisory).