CVE-2025-23046
Published: 25 February 2025
Summary
CVE-2025-23046 is a high-severity Incorrect Implementation of Authentication Algorithm (CWE-303) vulnerability in Glpi-Project Glpi. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 14.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-2 (Identification and Authentication (Organizational Users)).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Remediates the specific authentication bypass flaw in GLPI's OAuthIMAP plugin by applying the vendor patch in version 10.0.18.
Ensures unique identification and authentication of organizational users, directly countering the improper authentication allowing login with only a pre-authorized OAuth username.
Enforces approved authorizations to prevent unauthorized access granted by the flawed mail server OAuth authentication provider.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability allows remote attackers with no privileges to bypass authentication in GLPI by using any username with pre-established OAuthIMAP authorization, enabling exploitation of the public-facing web application.
NVD Description
GLPI is a free asset and IT management software package. Starting in version 9.5.0 and prior to version 10.0.18, if a "Mail servers" authentication provider is configured to use an Oauth connection provided by the OauthIMAP plugin, anyone can connect…
more
to GLPI using a user name on which an Oauth authorization has already been established. Version 10.0.18 contains a patch. As a workaround, one may disable any "Mail servers" authentication provider configured to use an Oauth connection provided by the OauthIMAP plugin.
Deeper analysisAI
CVE-2025-23046 is a vulnerability in GLPI, a free asset and IT management software package. It affects versions starting from 9.5.0 up to but not including 10.0.18. The issue occurs when a "Mail servers" authentication provider is configured to use an OAuth connection provided by the OauthIMAP plugin, enabling improper authentication where access is granted based solely on a pre-existing OAuth authorization for a username.
An unauthenticated attacker with network access can exploit this vulnerability by supplying any username that has an established OAuth authorization, thereby logging into the GLPI instance as that user. Exploitation requires low complexity, no privileges, and no user interaction, as indicated by the CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N), resulting in high integrity impact through unauthorized access.
GLPI version 10.0.18 contains a patch for this vulnerability. As a workaround, disable any "Mail servers" authentication provider configured to use an OAuth connection from the OauthIMAP plugin. Additional details are available in the release notes at https://github.com/glpi-project/glpi/releases/tag/10.0.18 and the security advisory at https://github.com/glpi-project/glpi/security/advisories/GHSA-vfxc-qg3v-j2r5.
Details
- CWE(s)