GLPI is a free asset and IT management software package. Starting in version 0.84 and prior to versions 9.5.13 and 10.0.7, usage of RSS feeds is subject to server-side request forgery (SSRF). In case the remote address is not a valid RSS feed, an RSS autodiscovery feature is triggered. This feature does not check safety or URLs. Versions 9.5.13 and 10.0.7 contain a patch for this issue.
The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Glpi | Glpi-project | 0.84 (including) | 9.5.13 (excluding) |
| Glpi | Glpi-project | 10.0.0 (including) | 10.0.7 (excluding) |
| Glpi | Ubuntu | trusty | * |
| Glpi | Ubuntu | xenial | * |