CVE-2021-43779

critical

Description

GLPI is an open source IT Asset Management, issue tracking system and service desk system. The GLPI addressing plugin in versions < 2.9.1 suffers from authenticated Remote Code Execution vulnerability, allowing access to the server's underlying operating system using command injection abuse of functionality. There is no workaround for this issue and users are advised to upgrade or to disable the addressing plugin.

References

https://github.com/pluginsGLPI/addressing/security/advisories/GHSA-q5fp-xpr8-77jh

https://github.com/pluginsGLPI/addressing/commit/6f55964803054a5acb5feda92c7c7f1d91ab5366

https://github.com/hansmach1ne/MyExploits/tree/main/RCE_GLPI_addressing_plugin

https://github.com/hansmach1ne/CVE-portfolio/tree/main/CVE-2021-43779

Details

Source: Mitre, NVD

Published: 2022-01-05

Updated: 2025-09-08

Risk Information

CVSS v2

Base Score: 9

Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C

Severity: High

CVSS v3

Base Score: 9.9

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Severity: Critical

EPSS

EPSS: 0.03942