CVE-2025-23046
Published: 25 February 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-23046 is a vulnerability in GLPI, a free asset and IT management software package. It affects versions starting from 9.5.0 up to but not including 10.0.18. The issue occurs when a "Mail servers" authentication provider is configured to use an OAuth connection provided by the OauthIMAP plugin, enabling improper authentication where access is granted based solely on a pre-existing OAuth authorization for a username.
An unauthenticated attacker with network access can exploit this vulnerability by supplying any username that has an established OAuth authorization, thereby logging into the GLPI instance as that user. Exploitation requires low complexity, no privileges, and no user interaction, as indicated by the CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N), resulting in high integrity impact through unauthorized access.
GLPI version 10.0.18 contains a patch for this vulnerability. As a workaround, disable any "Mail servers" authentication provider configured to use an OAuth connection from the OauthIMAP plugin. Additional details are available in the release notes at https://github.com/glpi-project/glpi/releases/tag/10.0.18 and the security advisory at https://github.com/glpi-project/glpi/security/advisories/GHSA-vfxc-qg3v-j2r5.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability allows remote attackers with no privileges to bypass authentication in GLPI by using any username with pre-established OAuthIMAP authorization, enabling exploitation of the public-facing web application.