CVE-2024-37147 in glpi
Summary
by MITRE • 07/10/2024
GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. An authenticated user can attach a document to any item, even if the user has no write access on it. Upgrade to 10.0.16.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 07/11/2024
The vulnerability identified as CVE-2024-37147 affects GLPI, a widely-used open-source IT asset and management software that implements ITIL Service Desk functionalities along with license tracking and software auditing capabilities. This security flaw represents a significant authorization bypass issue that undermines the software's access control mechanisms and poses serious risks to organizational data integrity and security posture.
The technical nature of this vulnerability stems from improper access control validation within the document attachment functionality of GLPI. Specifically, an authenticated user can bypass the normal write permission checks and attach documents to items regardless of their actual access rights to those items. This flaw exists in the software's authorization logic where the system fails to properly verify whether the user possesses the necessary write permissions before allowing document attachment operations. The vulnerability is classified under CWE-285, which addresses improper authorization issues in software systems, and aligns with ATT&CK technique T1078.004 related to valid accounts and privilege escalation through unauthorized access to resources.
The operational impact of this vulnerability extends beyond simple data exposure to include potential privilege escalation and unauthorized modification of critical IT assets. An attacker with basic user credentials could leverage this flaw to attach malicious documents to sensitive system items, potentially leading to data corruption, unauthorized changes to asset records, or the creation of false audit trails. This vulnerability particularly affects organizations that rely on GLPI for critical IT infrastructure management and asset tracking, as it undermines the integrity of the software's access control framework and could enable attackers to manipulate audit records or gain unauthorized access to sensitive information.
Organizations utilizing GLPI should immediately implement the recommended upgrade to version 10.0.16 which contains the necessary patches to address this authorization bypass vulnerability. Additionally, system administrators should conduct thorough access control reviews to identify any unauthorized document attachments that may have occurred prior to the patch deployment. Security teams should monitor audit logs for unusual document attachment activities and consider implementing additional access control monitoring measures to detect similar authorization bypass attempts. The vulnerability demonstrates the critical importance of proper access control validation in multi-user environments and highlights the necessity of regular security updates and comprehensive testing of access control mechanisms within enterprise IT management platforms.