CVE-2022-31056
Published: 28 June 2022
Summary
CVE-2022-31056 is a critical-severity SQL Injection (CWE-89) vulnerability in Glpi-Project Glpi. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 9.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
GLPI, an open-source IT asset management and service desk platform, contains a SQL injection vulnerability in the actor fields of its assistance forms for Tickets, Changes, and Problems. The flaw, tracked as CWE-89, affects versions prior to 10.0.2 and carries a CVSS 3.1 score of 9.8 due to its network-exposable nature without authentication or user interaction.
An unauthenticated remote attacker can supply crafted input to these fields to execute arbitrary SQL queries against the backend database. Successful exploitation can lead to full confidentiality, integrity, and availability impacts, including data exfiltration or modification; public proof-of-concept material further demonstrates remote code execution paths.
The project security advisory GHSA-9q9x-7xxh-w4cg and accompanying release notes direct all users to upgrade immediately to version 10.0.2, which contains the fix. Public exploit code has been posted to Packet Storm, yet the EPSS score has remained low and stable near 0.05 with no material post-disclosure increase.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-52729
Vulnerability details
GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. In affected versions all assistance forms (Ticket/Change/Problem) permit sql injection on the actor fields. This issue has been resolved…
more
in version 10.0.2 and all affected users are advised to upgrade.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.