CVE-2022-35947

2022-09-1418:15:10

CWE-89

[email protected]

web.nvd.nist.gov

236

glpi

it management

sql injection

cve-2022-35947

itil service desk

software auditing

security vulnerability

10 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

9.8 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

55.3%

JSON

GLPI stands for Gestionnaire Libre de Parc Informatique and is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. Affected versions have been found to be vulnerable to a SQL injection attack which an attacker could leverage to simulate an arbitrary user login. Users are advised to upgrade to version 10.0.3. Users unable to upgrade should disable the Enable login with external token API configuration.

Affected configurations

Vulners

NVD

Node

glpi-projectglpiRange9.1–10.0.3

VendorProductVersionCPE
glpi\-projectglpi*cpe:2.3:a:glpi\-project:glpi:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
glpi\-project	glpi	*	cpe:2.3:a:glpi\-project:glpi::::::::

CNA Affected

[
  {
    "product": "glpi",
    "vendor": "glpi-project",
    "versions": [
      {
        "status": "affected",
        "version": ">= 9.1, < 10.0.3"
      }
    ]
  }
]