CVE-2022-34127
Published: 16 April 2023
Summary
CVE-2022-34127 is a high-severity Path Traversal (CWE-22) vulnerability in Glpi-Project Manageentities. Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 5.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
The vulnerability is a path traversal flaw (CWE-22) in the Managentities plugin for GLPI that permits unauthenticated reading of arbitrary local files through the file parameter in inc/cri.class.php. It affects all versions of the plugin prior to 4.0.2 and carries a CVSS 3.1 score of 7.5 reflecting network-accessible exploitation with no required credentials or user interaction and high impact to confidentiality.
An attacker with network access to a GLPI instance running the vulnerable plugin can supply crafted directory traversal sequences in the affected parameter to retrieve sensitive files from the underlying server filesystem, such as configuration data or application source code, without any authentication.
The referenced GitHub security advisory and release notes for version 4.0.2 indicate that the issue is resolved by upgrading the Managentities plugin to 4.0.2 or later. The associated EPSS score has reached a peak of 0.1792 with a current value of 0.1469, indicating moderate and sustained exploitation interest following disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-37143
Vulnerability details
The Managentities plugin before 4.0.2 for GLPI allows reading local files via directory traversal in the inc/cri.class.php file parameter.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Validates pathnames and filenames to prevent traversal outside intended directories.