CVE-2021-39190 is a vulnerability identified in the SCCM plugin for GLPI, specifically affecting versions prior to 2.3.0. GLPI is an open-source IT asset management and service desk software, and the SCCM plugin is designed to synchronize computer inventory data from Microsoft's System Center Configuration Manager (SCCM) version 1802 to GLPI. The vulnerability arises because the Configuration page of the SCCM plugin is publicly accessible in a read-only mode without requiring authentication. This exposure allows unauthorized actors to access potentially sensitive configuration information related to the SCCM synchronization setup. Although the access is read-only, the information disclosed could include details about the network environment, system configurations, or synchronization parameters that could aid an attacker in further reconnaissance or targeted attacks. The issue was addressed and patched in version 2.3.0 of the plugin. No known workarounds exist, meaning that upgrading to the patched version is the primary remediation method. There are no known exploits in the wild, and the vulnerability is classified under CWE-200, which pertains to the exposure of sensitive information to unauthorized actors. The vulnerability does not require authentication or user interaction to be exploited, as the configuration page is publicly accessible by design in the affected versions.

For European organizations using GLPI with the SCCM plugin (versions prior to 2.3.0), this vulnerability could lead to unauthorized disclosure of sensitive configuration data. While the exposure is read-only and does not allow direct modification or disruption of services, the leaked information could facilitate further attacks such as targeted phishing, social engineering, or exploitation of other vulnerabilities by providing attackers with insights into the IT infrastructure. Organizations in sectors with stringent data protection requirements, such as finance, healthcare, and government, may face compliance risks if sensitive configuration details are exposed. Additionally, the exposure could undermine trust in IT asset management processes and potentially lead to indirect operational impacts if attackers leverage the information for lateral movement or privilege escalation. Given that GLPI is widely used in European public administrations and enterprises for IT asset management, the impact is non-trivial but limited to information disclosure without direct system compromise.

The primary and most effective mitigation is to upgrade the SCCM plugin for GLPI to version 2.3.0 or later, where the Configuration page is no longer publicly accessible. Organizations should audit their GLPI installations to identify the plugin version in use and prioritize patching accordingly. In environments where immediate upgrading is not feasible, organizations should implement network-level access controls such as restricting access to the GLPI web interface via IP whitelisting or VPN-only access to limit exposure to trusted users. Additionally, web application firewalls (WAFs) can be configured to block unauthorized requests targeting the Configuration page URL. Regularly reviewing and hardening GLPI and plugin configurations to minimize publicly accessible endpoints is recommended. Monitoring web server logs for unusual access patterns to the Configuration page can help detect potential reconnaissance attempts. Finally, organizations should ensure that sensitive information is not unnecessarily exposed in configuration pages and consider additional application-level authentication or authorization controls if customization is possible.