Impact
Non-authenticated user can remotely instantiate object of any class existing in the GLPI environment that can be used to carry out malicious attacks, or to start a “POP chain”.
As an example of direct impact, this vulnerability affects integrity of the GLPI core platform and third-party plugins runtime misusing classes which implement some sensitive operations in their constructors or destructors.
Patches
fixed in 9.5.4
Reference:
https://iterasec.com/cve-2021-21327-unsafe-reflection-in-getitemforitemtype-in-glpi/
vadymsoroka Analyst
Impact
Non-authenticated user can remotely instantiate object of any class existing in the GLPI environment that can be used to carry out malicious attacks, or to start a “POP chain”.
As an example of direct impact, this vulnerability affects integrity of the GLPI core platform and third-party plugins runtime misusing classes which implement some sensitive operations in their constructors or destructors.
Patches
fixed in 9.5.4
Reference:
https://iterasec.com/cve-2021-21327-unsafe-reflection-in-getitemforitemtype-in-glpi/