Overview
CVE-2025-53360 is a medium severity vulnerability affecting the Database Inventory plugin for GLPI (Gestion Libre de Parc Informatique). This plugin “manages” the Teclib’ inventory agents, enabling database inventory on workstations. Prior to version 1.0.3, any authenticated user, regardless of their role or permissions, could send requests directly to inventory agents. This could potentially lead to unauthorized data access or manipulation. This issue has been resolved in version 1.0.3.
Technical Details
The vulnerability stemmed from insufficient access control mechanisms within the Database Inventory plugin. The plugin did not properly validate the privileges of authenticated users before allowing them to interact with the Teclib inventory agents. This lack of authorization allowed any user who could log into GLPI to potentially bypass intended security measures and communicate directly with the agents managing the database inventory process. The specific code flaws resided in how the plugin handled agent requests, failing to adequately check the user’s permissions against the required actions. The fix involved implementing stricter access control checks to ensure only authorized users can interact with the agents.
CVSS Analysis
The Common Vulnerability Scoring System (CVSS) assigns CVE-2025-53360 a score of 4.3 (MEDIUM). The CVSS vector is likely AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N. This breaks down as follows:
- AV:N (Attack Vector: Network) – The vulnerability is exploitable over a network.
- AC:L (Attack Complexity: Low) – Exploitation requires little specialized skill or knowledge.
- PR:L (Privileges Required: Low) – An attacker requires low-level access (e.g., an authenticated user).
- UI:N (User Interaction: None) – No user interaction is required for exploitation.
- S:U (Scope: Unchanged) – An exploited vulnerability can only affect resources managed by the same security authority.
- C:N (Confidentiality: None) – There is no impact to confidentiality.
- I:L (Integrity: Low) – There is a limited impact on integrity. An attacker might be able to modify some data.
- A:N (Availability: None) – There is no impact to availability.
Possible Impact
While rated as medium severity, successful exploitation of this vulnerability could have the following impacts:
- Data Manipulation: An attacker might be able to manipulate inventory data, potentially leading to inaccurate records.
- Unauthorized Access (indirect): While direct confidentiality is not impacted, an attacker could potentially leverage manipulated inventory data to gain unauthorized access to systems.
- Compliance Violations: Inaccurate or manipulated inventory data can lead to non-compliance with regulatory requirements.
Mitigation or Patch Steps
The recommended mitigation is to upgrade the Database Inventory plugin to version 1.0.3 or later. This version includes the necessary security fixes to address the vulnerability. To upgrade:
- Log in to your GLPI instance as an administrator.
- Navigate to the Plugins section.
- Locate the “Database Inventory” plugin.
- If an update is available, click the “Update” button.
- Verify the installed version is 1.0.3 or higher.
If upgrading is not immediately possible, consider temporarily disabling the plugin until the update can be applied.
