CVE-2022-31062
Published: 20 June 2022
Summary
CVE-2022-31062 is a medium-severity Path Traversal (CWE-22) vulnerability in Glpi-Project Glpi Inventory. Its CVSS base score is 5.3 (Medium).
Operationally, ranked in the top 6.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
CVE-2022-31062 is a path traversal vulnerability (CWE-22) in the GLPI Inventory Plugin (glpi-inventory-plugin) versions prior to 1.0.2. The flaw resides in a publicly accessible script that fails to properly sanitize input, allowing arbitrary system file contents to be read.
Unauthenticated remote attackers can exploit the issue over the network without credentials or user interaction. Successful exploitation grants read access to sensitive files on the underlying system, resulting in partial confidentiality impact as reflected in the CVSS 5.3 score.
The project advisory directs users to upgrade to version 1.0.2. When the deploy feature is unused, the file b/deploy/index.php may simply be removed as a workaround. Public exploit code targeting GLPI Inventory 1.0.1 has been published on Packet Storm.
The EPSS score rose from a low baseline to a peak of 0.2270, indicating that exploitation interest increased after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-52734
Vulnerability details
### Impact A plugin public script can be used to read content of system files. ### Patches Upgrade to version 1.0.2. ### Workarounds `b/deploy/index.php` file can be deleted if deploy feature is not used.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Validates pathnames and filenames to prevent traversal outside intended directories.