Cyber Resilience

CVE-2022-31056

CriticalPublic PoC

Published: 28 June 2022

Published
28 June 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0522 90.2th percentile
Risk Priority 23 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-31056 is a critical-severity SQL Injection (CWE-89) vulnerability in Glpi-Project Glpi. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 9.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

GLPI, an open-source IT asset management and service desk platform, contains a SQL injection vulnerability in the actor fields of its assistance forms for Tickets, Changes, and Problems. The flaw, tracked as CWE-89, affects versions prior to 10.0.2 and carries a CVSS 3.1 score of 9.8 due to its network-exposable nature without authentication or user interaction.

An unauthenticated remote attacker can supply crafted input to these fields to execute arbitrary SQL queries against the backend database. Successful exploitation can lead to full confidentiality, integrity, and availability impacts, including data exfiltration or modification; public proof-of-concept material further demonstrates remote code execution paths.

The project security advisory GHSA-9q9x-7xxh-w4cg and accompanying release notes direct all users to upgrade immediately to version 10.0.2, which contains the fix. Public exploit code has been posted to Packet Storm, yet the EPSS score has remained low and stable near 0.05 with no material post-disclosure increase.

EU & UK References

Vulnerability details

GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. In affected versions all assistance forms (Ticket/Change/Problem) permit sql injection on the actor fields. This issue has been resolved…

more

in version 10.0.2 and all affected users are advised to upgrade.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

glpi-project
glpi
10.0.0 — 10.0.2

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-89

Penetration testing uses SQL injection payloads against database interfaces, identifying and supporting fixes for SQL injection weaknesses.

addresses: CWE-89

Validates query inputs to prevent SQL syntax or command manipulation.

References