Cyber Resilience

CVE-2022-31062

MediumPublic PoC

Published: 20 June 2022

Published
20 June 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
EPSS Score 0.1100 93.6th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-31062 is a medium-severity Path Traversal (CWE-22) vulnerability in Glpi-Project Glpi Inventory. Its CVSS base score is 5.3 (Medium).

Operationally, ranked in the top 6.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

CVE-2022-31062 is a path traversal vulnerability (CWE-22) in the GLPI Inventory Plugin (glpi-inventory-plugin) versions prior to 1.0.2. The flaw resides in a publicly accessible script that fails to properly sanitize input, allowing arbitrary system file contents to be read.

Unauthenticated remote attackers can exploit the issue over the network without credentials or user interaction. Successful exploitation grants read access to sensitive files on the underlying system, resulting in partial confidentiality impact as reflected in the CVSS 5.3 score.

The project advisory directs users to upgrade to version 1.0.2. When the deploy feature is unused, the file b/deploy/index.php may simply be removed as a workaround. Public exploit code targeting GLPI Inventory 1.0.1 has been published on Packet Storm.

The EPSS score rose from a low baseline to a peak of 0.2270, indicating that exploitation interest increased after disclosure.

EU & UK References

Vulnerability details

### Impact A plugin public script can be used to read content of system files. ### Patches Upgrade to version 1.0.2. ### Workarounds `b/deploy/index.php` file can be deleted if deploy feature is not used.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

glpi-project
glpi inventory
≤ 1.0.2

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-22

Validates pathnames and filenames to prevent traversal outside intended directories.

References