CVE-2022-24867 in GLPI
Summary
by MITRE • 04/21/2022
GLPI is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. When you pass the config to the javascript, some entries are filtered out. The variable ldap_pass is not filtered and when you look at the source code of the rendered page, we can see the password for the root dn. Users are advised to upgrade. There is no known workaround for this issue.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 04/28/2022
The vulnerability identified as CVE-2022-24867 affects GLPI, a widely-used open-source asset and IT management software that provides ITIL Service Desk capabilities along with license tracking and software auditing functionalities. This issue resides within the application's handling of configuration data that gets passed to JavaScript components, creating a critical exposure in the software's security architecture. The vulnerability specifically targets the configuration parameter ldap_pass which represents the password for the LDAP root distinguished name, a sensitive credential that should never be exposed to client-side applications.
The technical flaw manifests in the improper filtering of configuration variables when they are serialized for JavaScript consumption within the rendered web pages. While many configuration entries undergo proper sanitization and filtering processes, the ldap_pass variable is explicitly excluded from this security measure, allowing the plaintext password to be embedded directly into the HTML source code of the rendered page. This represents a classic case of insufficient input validation and output encoding, where sensitive information flows from server-side configuration into client-side execution contexts without appropriate security controls. The vulnerability falls under CWE-20: Improper Input Validation and CWE-79: Cross-site Scripting (XSS) categories, as it creates opportunities for credential exposure through improper data handling in web applications.
The operational impact of this vulnerability is severe and potentially catastrophic for organizations relying on GLPI for their IT asset management and service desk operations. When an attacker can view the source code of a rendered GLPI page, they gain immediate access to the LDAP root password, which typically grants extensive privileges within the organization's directory services. This exposure enables attackers to perform unauthorized authentication against LDAP servers, potentially leading to privilege escalation, lateral movement, and complete compromise of the directory infrastructure. The vulnerability affects the core authentication mechanisms of the application, undermining the security posture of the entire IT management ecosystem. Attackers can leverage this exposure to gain persistent access to critical IT resources and potentially escalate privileges within the organization's network infrastructure.
Organizations affected by this vulnerability should prioritize immediate remediation through the official GLPI upgrade process, as no effective workarounds exist to address the root cause. The recommended mitigation strategy involves upgrading to the latest version of GLPI where the configuration filtering has been properly implemented to prevent sensitive variables like ldap_pass from being exposed to client-side JavaScript contexts. Security teams should also conduct comprehensive audits of their GLPI installations to ensure no other sensitive configuration parameters are inadvertently exposed in similar ways. Additionally, network segmentation and access controls should be reviewed to limit potential attack surface, while monitoring systems should be enhanced to detect unusual LDAP authentication patterns that might indicate credential compromise. The vulnerability demonstrates the critical importance of proper configuration management and the principle of least privilege in security architectures, particularly when dealing with sensitive authentication credentials that should never be exposed to untrusted client contexts.