Cyber Resilience

CVE-2023-42802

Critical

Published: 02 November 2023

Published
02 November 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0616 91.0th percentile
Risk Priority 24 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-42802 is a critical-severity Improper Input Validation (CWE-20) vulnerability in Glpi-Project Glpi. Its CVSS base score is 10.0 (Critical).

Operationally, ranked in the top 9.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

GLPI, an open-source IT asset management application, contains an unverified object instantiation flaw in versions 10.0.7 through 10.0.9. The issue permits an attacker to upload arbitrary PHP files into directories outside the intended upload locations, which can result in remote code execution when the web server subsequently processes those files, depending on server configuration and available PHP libraries.

An unauthenticated remote attacker can exploit the vulnerability over the network without user interaction to place and invoke malicious PHP code, achieving full compromise of the confidentiality, integrity, and availability of the affected GLPI instance. The CVSS 3.1 base score of 10.0 reflects the absence of required authentication and the scope change that allows the attacker to impact resources beyond the vulnerable component.

The official fix is included in GLPI 10.0.10, as noted in the project’s GitHub release notes and the accompanying security advisory GHSA-rrh2-x4ch-pq3m. As an interim mitigation, administrators can revoke write permissions on the /ajax and /front paths for the web-server user. The associated EPSS score has remained flat at 0.0616 with no material increase since disclosure.

EU & UK References

Vulnerability details

GLPI is a free asset and IT management software package. Starting in version 10.0.7 and prior to version 10.0.10, an unverified object instantiation allows one to upload malicious PHP files to unwanted directories. Depending on web server configuration and available…

more

system libraries, malicious PHP files can then be executed through a web server request. Version 10.0.10 fixes this issue. As a workaround, remove write access on `/ajax` and `/front` files to the web server.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

glpi-project
glpi
10.0.7 — 10.0.10

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-434

Requiring identifiable owners for portable devices reduces the attack surface for unrestricted uploads of dangerous file types via anonymous media.

addresses: CWE-20

Security testing and developer training directly verify and enforce proper input validation, reducing exploitability of injection and malformed-data weaknesses.

addresses: CWE-20

Security testing and evaluation at multiple SDLC stages directly detects missing or flawed input validation, with the required remediation process ensuring fixes are applied.

addresses: CWE-434

Dangerous file uploads can be detonated in the chamber to determine malice before any production write or execution occurs.

addresses: CWE-434

Prevents unrestricted writing of arbitrary or malicious firmware by keeping hardware write-protect enabled except under tightly controlled manual procedures.

addresses: CWE-20

Directly implements checks on information inputs to reject invalid data before processing.

addresses: CWE-434

Scans files from external sources on download/open/execute, blocking unrestricted uploads of dangerous file types.

addresses: CWE-20

Spam protection mechanisms perform filtering and detection on inbound/outbound messages, directly compensating for missing or weak input validation of unsolicited content.

References