CVE-2022-29250 in GLPI
Summary
by MITRE • 06/10/2022
GLPI is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In versions prior to version 10.0.1 it is possible to add extra information by SQL injection on search pages. In order to exploit this vulnerability a user must be logged in.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 06/15/2022
The vulnerability identified as CVE-2022-29250 affects GLPI, a widely used free asset and IT management software package that provides ITIL Service Desk features, license tracking, and software auditing capabilities. This security flaw exists in versions prior to 10.0.1 and represents a critical SQL injection vulnerability that can be exploited by authenticated attackers. The vulnerability specifically targets search pages within the application where attackers can inject malicious SQL code to manipulate database queries and extract sensitive information from the underlying database system.
The technical implementation of this vulnerability stems from insufficient input validation and sanitization within the search functionality of GLPI. When a user performs a search operation on the application's search pages, the input parameters are not properly escaped or filtered before being incorporated into SQL queries. This allows an attacker who has already established an authenticated session to craft malicious search queries that can execute arbitrary SQL commands on the database server. The vulnerability is classified as a CWE-89 SQL injection weakness, which falls under the broader category of injection flaws that represent one of the most prevalent and dangerous security vulnerabilities in web applications.
The operational impact of this vulnerability is significant as it provides authenticated attackers with the ability to perform unauthorized data access, modification, and deletion operations within the GLPI database. Attackers can potentially extract sensitive information including user credentials, system configurations, asset inventory data, and license tracking information. The vulnerability's requirement for a logged-in user account limits its exploitation scope but does not eliminate the risk, as compromised user accounts or privilege escalation attacks can lead to successful exploitation. This vulnerability aligns with ATT&CK technique T1071.004 Application Layer Protocol: DNS, as it leverages the application's legitimate search functionality to perform malicious database operations.
The exploitation of this vulnerability requires an attacker to first obtain valid credentials to establish an authenticated session within the GLPI application. Once authenticated, the attacker can manipulate search parameters to inject SQL code that can bypass authentication mechanisms, extract confidential data, or even modify existing records within the database. This could result in complete compromise of the asset management system and potential lateral movement within the network infrastructure that relies on GLPI for IT asset tracking and service desk management. Organizations using affected versions of GLPI should immediately implement the vendor-provided patch to address this vulnerability and prevent potential data breaches or unauthorized access to critical IT infrastructure information.