CVE-2023-41321: 
GLPI vulnerability analysis and mitigation

GLPI (Gestionnaire Libre de Parc Informatique), a Free Asset and IT Management Software package that provides ITIL Service Desk features, licenses tracking and software auditing, was found to contain a sensitive information enumeration vulnerability. The vulnerability affects versions from 9.1.1 up to (excluding) 10.0.10, and was discovered in September 2023 (NVD, GitHub Advisory).

The vulnerability allows an API user to enumerate sensitive fields values on resources to which they have read access. The issue has been assigned a CVSS v3.1 base score of 6.5 MEDIUM (NIST) and 4.9 MEDIUM (GitHub) with vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N. The vulnerability is classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) (NVD).

The vulnerability impacts data confidentiality as it allows authenticated API users to access and enumerate sensitive field values from resources they have read access to. There are no reported impacts on system integrity or availability (GitHub Advisory).

Users are advised to upgrade to GLPI version 10.0.10 which contains patches for this vulnerability. There are no known workarounds for this vulnerability (NVD).