CVE-2022-31082 in glpi-inventory-plugin
Summary
by MITRE • 06/28/2022
GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. glpi-inventory-plugin is a plugin for GLPI to handle inventory management. In affected versions a SQL injection can be made using package deployment tasks. This issue has been resolved in version 1.0.2. Users are advised to upgrade. Users unable to upgrade should delete the `front/deploypackage.public.php` file if they are not using the `deploy tasks` feature.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 07/16/2022
CVE-2022-31082 represents a critical SQL injection vulnerability within the glpi-inventory-plugin component of the GLPI asset and IT management platform. This vulnerability specifically affects the package deployment functionality, where an attacker can manipulate database queries through malicious input in deployment tasks. The flaw exists in the handling of user-supplied data within the deployment package execution flow, creating an avenue for unauthorized database access and potential data manipulation. The vulnerability falls under CWE-89 which categorizes SQL injection flaws as a direct result of insufficient input validation and improper query construction. Given that GLPI serves as a comprehensive IT asset management solution with integrated data center management and ITIL service desk capabilities, this vulnerability presents a significant risk to organizations relying on the platform for critical infrastructure management.
The technical exploitation of this vulnerability occurs when an attacker crafts malicious input within deployment package tasks that gets directly incorporated into SQL queries without proper sanitization or parameterization. The attack vector specifically targets the `front/deploypackage.public.php` file which handles the public deployment package interface, making it accessible to unauthorized users who might have limited privileges. This vulnerability demonstrates poor input validation practices and inadequate protection against malicious data injection, allowing attackers to execute arbitrary SQL commands against the underlying database. The issue is particularly concerning because it affects the inventory management plugin, which typically handles sensitive information about software deployments, system configurations, and asset tracking data that organizations rely upon for compliance and operational security.
Organizations utilizing GLPI with the affected inventory plugin version face substantial operational risks including unauthorized data access, potential data corruption, and possible privilege escalation within the database layer. The vulnerability impacts the integrity and confidentiality of deployed software packages, system inventory records, and potentially sensitive IT asset information that flows through the deployment pipeline. Attackers could leverage this vulnerability to extract confidential data from the database, modify existing deployment configurations, or even gain deeper access to the underlying system through database-level commands. This threat is particularly relevant in environments where GLPI serves as a central management platform for enterprise IT operations, as it could provide attackers with insights into software licensing, deployment schedules, and system configurations that could be used for further attacks within the network infrastructure.
Mitigation strategies for CVE-2022-31082 should prioritize immediate patching to version 1.0.2 where the vulnerability has been addressed through proper input validation and parameterized query construction. Organizations unable to perform immediate upgrades should implement the temporary workaround of deleting the `front/deploypackage.public.php` file when the deployment tasks feature is not actively required. This approach effectively removes the attack surface by disabling the vulnerable functionality entirely. Security teams should also implement network-level restrictions to limit access to the deployment package interface, enforce strict input validation at the application level, and monitor database access logs for suspicious activity. The remediation aligns with ATT&CK technique T1071.004 which covers application layer protocol manipulation and T1046 which involves network service scanning that could be used to identify vulnerable systems. Organizations should conduct thorough security assessments of their GLPI installations to identify any other potentially affected components and ensure comprehensive patch management processes are in place to prevent similar vulnerabilities in the future.