CVE-2021-43779
CRITICALGLPI addressing plugin < 2.9.1 - Authenticated Remote Code Execution via Command Injection
Title source: llmDescription
GLPI is an open source IT Asset Management, issue tracking system and service desk system. The GLPI addressing plugin in versions < 2.9.1 suffers from authenticated Remote Code Execution vulnerability, allowing access to the server's underlying operating system using command injection abuse of functionality. There is no workaround for this issue and users are advised to upgrade or to disable the addressing plugin.
References (4)
Core 4
Core References
Exploit, Third Party Advisory x_refsource_confirm
https://github.com/pluginsGLPI/addressing/security/advisories/GHSA-q5fp-xpr8-77jh
Patch, Third Party Advisory x_refsource_misc
https://github.com/pluginsGLPI/addressing/commit/6f55964803054a5acb5feda92c7c7f1d91ab5366
Exploit, Third Party Advisory x_refsource_misc
https://github.com/hansmach1ne/MyExploits/tree/main/RCE_GLPI_addressing_plugin
Scores
CVSS v3
9.9
EPSS
0.0913
EPSS Percentile
94.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-20
CWE-78
Status
published
Products (1)
teclib-edition/addressing
< 2.9.1
Published
Jan 05, 2022
Tracked Since
Feb 18, 2026