A vulnerability was found in GLPI up to 10.0.1 (Asset Management Software). It has been declared as problematic. Affected by this vulnerability is an unknown code block. The manipulation with an unknown input leads to a information disclosure vulnerability. The CWE definition for the vulnerability is CWE-200. The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. As an impact it is known to affect confidentiality. The summary by CVE is:

GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. In affected versions all GLPI instances with the native inventory used may leak sensitive information. The feature to get refused file is not authenticated. This issue has been addressed in version 10.0.2 and all affected users are advised to upgrade.

The weakness was released 06/29/2022 as GHSA-g4hm-6vfr-q3wg. The advisory is shared at github.com. This vulnerability is known as CVE-2022-31068 since 05/18/2022. Neither technical details nor an exploit are publicly available. MITRE ATT&CK project uses the attack technique T1592 for this issue.

Upgrading to version 10.0.2 eliminates this vulnerability. Applying the patch 9953a644777e4167b06db9e14fc93b945a557be5 is able to eliminate this problem. The bugfix is ready for download at github.com. The best possible mitigation is suggested to be upgrading to the latest version.

Productinfo

Type

• Asset Management Software

Name

• GLPI

Version

• 10.0.0
• 10.0.1

License

• open-source

CPE 2.3info

• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion