CVE-2024-37149
Published: 10 July 2024
Summary
CVE-2024-37149 is a high-severity External Control of File Name or Path (CWE-73) vulnerability in Glpi-Project Glpi. Its CVSS base score is 7.2 (High).
Operationally, ranked in the top 7.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
GLPI, an open-source asset and IT management software package providing ITIL Service Desk features along with license tracking and software auditing, contains a vulnerability tracked as CVE-2024-37149. An authenticated technician user can upload a malicious PHP script and hijack the plugin loader to execute arbitrary code on the server. The flaw is associated with CWE-73 and CWE-94 and is rated 7.2 under CVSS 3.1.
An attacker possessing technician credentials can exploit the issue remotely with low attack complexity and no user interaction required, resulting in full control over confidentiality, integrity, and availability of the GLPI instance.
The referenced GitHub security advisories for the project state that the vulnerability is resolved by upgrading to version 10.0.16.
The associated EPSS score has remained flat at 0.0833 with no material rise after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-36966
Vulnerability details
GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. An authenticated technician user can upload a malicious PHP script and hijack the plugin loader to execute this malicious…
more
script. Upgrade to 10.0.16.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Rejects externally supplied file or resource identifiers that fail validity checks.
Makes persistent code injection into loaded programs impossible when the executable image itself resides on hardware-protected read-only media.
Dynamically generated code can be produced and executed inside the isolated chamber, preventing host compromise from code-injection payloads.
Directly prevents execution of attacker-supplied code written into data memory regions.