CVE-2024-50339: 
GLPI vulnerability analysis and mitigation

GLPI, a free asset and IT management software package, was found to contain a critical security vulnerability (CVE-2024-50339) that affects versions from 9.5.0 up to (excluding) 10.0.17. The vulnerability was discovered and disclosed on December 11, 2024, allowing unauthenticated users to retrieve all session IDs and use them to steal any valid session (NVD, ASEC).

The vulnerability has been assigned a Critical severity rating with a CVSS v4.0 base score of 9.3. The attack vector is network-based (AV:N) with low attack complexity (AC:L), requiring no privileges (PR:N) or user interaction (UI:N). The vulnerability can result in high impacts on both confidentiality (VC:H) and integrity (VI:H), with low impact on availability (VA:L) (Security Online, GitHub Advisory).

The vulnerability allows an unauthenticated attacker to retrieve all session IDs and use them to impersonate any logged-in user. This means an attacker doesn't need valid credentials to gain access to sensitive data and perform actions on behalf of legitimate users, posing an immediate and significant threat to any GLPI instance exposed to the internet (Security Online).

The vulnerability has been patched in GLPI version 10.0.17. Users are strongly advised to upgrade to this version immediately to mitigate the risk of exploitation (GLPI Release).