CVE-2021-43779

Published: Jan 5, 2022

Modified: Sep 8, 2025

PUBLISHED

CVSS v3.1

9.9

CRITICAL

Description

GLPI is an open source IT Asset Management, issue tracking system and service desk system. The GLPI addressing plugin in versions < 2.9.1 suffers from authenticated Remote Code Execution vulnerability, allowing access to the server's underlying operating system using command injection abuse of functionality. There is no workaround for this issue and users are advised to upgrade or to disable the addressing plugin.

Vendor	Product	Versions
pluginsGLPI	addressing	affected `< 2.9.1`

Weaknesses (CWE)

CWE-20

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

High

References

https://github.com/pluginsGLPI/addressing/security/advisories/GHSA-q5fp-xpr8-77jh

x_refsource_CONFIRM

https://github.com/pluginsGLPI/addressing/commit/6f55964803054a5acb5feda92c7c7f1d91ab5366

x_refsource_MISC

https://github.com/hansmach1ne/MyExploits/tree/main/RCE_GLPI_addressing_plugin

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2021-43779

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References