Cyber Resilience

CVE-2024-29889

High

Published: 07 May 2024

Published
07 May 2024
Modified
28 January 2025
KEV Added
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
EPSS Score 0.6646 98.6th percentile
Risk Priority 54 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-29889 is a high-severity SQL Injection (CWE-89) vulnerability in Glpi-Project Glpi. Its CVSS base score is 7.1 (High).

Operationally, ranked in the top 1.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

GLPI, an open-source IT asset management application, contains a SQL injection vulnerability in its saved searches feature that affects all versions prior to 10.0.15. The flaw, tracked as CWE-89, permits an authenticated user to inject arbitrary SQL through the saved-search handling code, resulting in unauthorized modification of other user account records. The issue carries a CVSS 3.1 base score of 7.1.

An authenticated attacker can leverage the injection to alter account data belonging to another user and thereby assume control of that account. Because the attack requires only low-privileged authenticated access and no user interaction, it can be executed remotely over the network with minimal preconditions.

The vulnerability is addressed in GLPI 10.0.15. The project’s security advisory GHSA-8xvf-v6vv-r75g and the associated commit 0a6b28be4c0f848106c60b554c703ec2e178d6c7 document the remediation and confirm that upgrading to the fixed release eliminates the injection vector.

The EPSS score for this CVE reached a peak of 0.7324 and currently stands at 0.6646, indicating sustained exploitation interest after disclosure.

EU & UK References

Vulnerability details

GLPI is a Free Asset and IT Management Software package. Prior to 10.0.15, an authenticated user can exploit a SQL injection vulnerability in the saved searches feature to alter another user account data take control of it. This vulnerability is…

more

fixed in 10.0.15.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

glpi-project
glpi
10.0.10 — 10.0.15

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-89

Penetration testing uses SQL injection payloads against database interfaces, identifying and supporting fixes for SQL injection weaknesses.

addresses: CWE-89

Validates query inputs to prevent SQL syntax or command manipulation.

References