CVE-2021-43779

CRITICAL
Published Jan 5, 20224y ago · Modified Jun 17, 20262w ago
9.9 CVSS 3.1
Critical
Find Similar
Published Jan 5, 2022 4y ago
Last Modified Jun 17, 2026 2w ago

Description

GLPI is an open source IT Asset Management, issue tracking system and service desk system. The GLPI addressing plugin in versions < 2.9.1 suffers from authenticated Remote Code Execution vulnerability, allowing access to the server's underlying operating system using command injection abuse of functionality. There is no workaround for this issue and users are advised to upgrade or to disable the addressing plugin.

CVSS Details

Base Score
9.9
Exploitability
3.1
Impact
6.0
Vector string
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector Network
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Changed
Confidentiality High
Integrity High
Availability High

Threat Intelligence

No active exploitation signals — not in CISA KEV and no EPSS score yet.

Exploit & Patch Status
Public Exploit Known
Patch Available

Weaknesses 2

CWE-20 Improper Input Validation Validation
CWE-78 OS Command Injection Injection

Affected Products 1

VendorProductVersionRange
teclib-editionaddressing* <2.9.1

References 4

  • github.com https://github.com/hansmach1ne/CVE-portfolio/tree/main/CVE-2021-43779
  • github.com https://github.com/hansmach1ne/MyExploits/tree/main/RCE_GLPI_addressing_plugin
    ExploitThird Party Advisory
  • github.com https://github.com/pluginsGLPI/addressing/commit/6f55964803054a5acb5feda92c7c7f1d91ab5366
    PatchThird Party Advisory
  • github.com https://github.com/pluginsGLPI/addressing/security/advisories/GHSA-q5fp-xpr8-77jh
    ExploitThird Party Advisory

Remediation

  • github.com https://github.com/pluginsGLPI/addressing/commit/6f55964803054a5acb5feda92c7c7f1d91ab5366
    PatchThird Party Advisory