CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2025-27147: GLPI Inventory plugin has Improper Access Control Vulnerability

8.2 CVSS

Description

The GLPI Inventory Plugin handles various types of tasks for GLPI agents, including network discovery and inventory (SNMP), software deployment, VMWare ESX host remote inventory, and data collection (files, Windows registry, WMI). Versions prior to 1.5.0 have an improper access control vulnerability. Version 1.5.0 fixes the vulnerability.

Classification

CVE ID: CVE-2025-27147

CVSS Base Severity: HIGH

CVSS Base Score: 8.2

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:L

Problem Types

CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-73: External Control of File Name or Path CWE-552: Files or Directories Accessible to External Parties

Affected Products

Vendor: glpi-project

Product: glpi-inventory-plugin

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.06% (probability of being exploited)

EPSS Percentile: 17.26% (scored less or equal to compared to others)

EPSS Date: 2025-04-23 (when was this score calculated)

Stakeholder-Specific Vulnerability Categorization (SSVC)

SSVC Exploitation: none

SSVC Technical Impact: partial

SSVC Automatable: false

References

https://nvd.nist.gov/vuln/detail/CVE-2025-27147
https://github.com/glpi-project/glpi-inventory-plugin/security/advisories/GHSA-h6x9-jm98-cw7c
https://github.com/glpi-project/glpi-inventory-plugin/commit/aaeb26d98d07019375c25b56e60fffc195553545

Timeline

2025-03-25 15:40:15 UTC
CVE

GLPI Inventory plugin has Improper Access Control Vulnerability