CVE-2022-35914
Published: 19 September 2022
Summary
CVE-2022-35914 is a critical-severity Injection (CWE-74) vulnerability in Glpi-Project Glpi. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-10 (Information Input Validation).
Deeper analysis
The vulnerability is a PHP code injection flaw tracked as CVE-2022-35914, affecting the htmLawedTest.php file within the htmlawed module bundled with GLPI versions through 10.0.2. It is assigned CWE-74 and carries a CVSS 3.1 base score of 9.8, reflecting network-accessible, unauthenticated exploitation that can fully compromise confidentiality, integrity, and availability.
An unauthenticated remote attacker can directly invoke the test script over HTTP to inject and execute arbitrary PHP code on the server. Successful exploitation grants the attacker the ability to run operating-system commands, read or modify application data, and maintain persistent access without requiring credentials or user interaction.
Public references include a GLPI release page for obtaining patches and a functional proof-of-concept script that demonstrates command injection against the vulnerable endpoint. The associated EPSS score has reached a peak of 0.9751 with a current value of 0.9439, indicating sustained and substantial exploitation interest following disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-38785
Vulnerability details
/vendor/htmlawed/htmlawed/htmLawedTest.php in the htmlawed module for GLPI through 10.0.2 allows PHP code injection.
- CWE(s)
- KEV Date Added
- 07 March 2023
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires disabling or removing non-essential components such as the exposed htmLawedTest.php script that enables unauthenticated PHP injection.
Mandates validation and sanitization of all input to the test script, blocking the crafted PHP code that leads to remote execution.
Enforces access-control policy on web resources so that the vulnerable test endpoint cannot be reached by unauthenticated attackers.