CVE-2022-31068 in GLPIinfo

Summary

by MITRE • 06/28/2022

GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. In affected versions all GLPI instances with the native inventory used may leak sensitive information. The feature to get refused file is not authenticated. This issue has been addressed in version 10.0.2 and all affected users are advised to upgrade.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 09/03/2025

CVE-2022-31068 represents a critical information disclosure vulnerability within the GLPI (Gestionnaire Libre de Parc Informatique) platform, a widely deployed free asset and IT management software solution. This vulnerability specifically affects GLPI instances utilizing the native inventory feature, creating a significant security risk for organizations relying on the platform for critical infrastructure management. The flaw stems from insufficient authentication controls within the file handling mechanism, allowing unauthorized access to sensitive data through the rejected file retrieval functionality. The vulnerability falls under the CWE-284 access control weakness category, where improper access restrictions enable unauthorized users to exploit the system's file processing capabilities.

The technical implementation of this vulnerability exploits the lack of proper authentication checks when processing rejected files within the GLPI inventory system. Attackers can leverage this weakness to access files that should remain protected, potentially including sensitive configuration data, system logs, or other confidential information stored within the platform's inventory database. The issue manifests when the system processes files that fail validation checks, as the rejected file retrieval mechanism does not properly verify user credentials or authorization levels before granting access. This represents a fundamental flaw in the platform's privilege management system, where the principle of least privilege is violated, allowing unauthorized access to data that should be restricted to authorized administrators only.

The operational impact of CVE-2022-31068 extends beyond simple data exposure, as it undermines the core security posture of organizations using GLPI for critical IT asset management. Organizations may face compliance violations under data protection regulations such as gdpr and hipaa, as sensitive information could be accessed by unauthorized parties. The vulnerability particularly affects data center management capabilities within GLPI, where access to inventory details, licensing information, and service desk records could provide attackers with comprehensive insights into an organization's IT infrastructure. This exposure could facilitate further attacks, including privilege escalation attempts or targeted exploitation of other system components, as attackers gain access to detailed system information that would otherwise remain protected.

Organizations using affected GLPI versions should immediately implement the recommended mitigation strategy of upgrading to version 10.0.2 or later, which addresses the authentication gap in the rejected file handling process. The fix implemented in the updated version ensures that proper authentication checks are enforced before allowing access to rejected files, thereby restoring the intended access controls within the system. Security teams should also conduct thorough assessments of their GLPI implementations to identify any potential exploitation attempts and monitor for suspicious file access patterns. Additionally, implementing network segmentation and access controls around GLPI systems can provide additional layers of protection while awaiting the upgrade process. This vulnerability demonstrates the importance of maintaining up-to-date software versions and implementing comprehensive security controls around inventory management systems that handle sensitive organizational data. The issue aligns with attack patterns documented in the mitre att&ck framework under the credential access and defense evasion techniques, where unauthorized access to system files represents both a data exfiltration vector and a potential foothold for further system compromise.

Responsible

GitHub, Inc.

Reservation

05/18/2022

Disclosure

06/28/2022

Moderation

accepted

CPE

ready

EPSS

0.00850

KEV

no

Activities

very low

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!