Cyber Resilience

CVE-2024-37149

HighRCE

Published: 10 July 2024

Published
10 July 2024
Modified
07 January 2025
KEV Added
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0833 92.5th percentile
Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-37149 is a high-severity External Control of File Name or Path (CWE-73) vulnerability in Glpi-Project Glpi. Its CVSS base score is 7.2 (High).

Operationally, ranked in the top 7.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

GLPI, an open-source asset and IT management software package providing ITIL Service Desk features along with license tracking and software auditing, contains a vulnerability tracked as CVE-2024-37149. An authenticated technician user can upload a malicious PHP script and hijack the plugin loader to execute arbitrary code on the server. The flaw is associated with CWE-73 and CWE-94 and is rated 7.2 under CVSS 3.1.

An attacker possessing technician credentials can exploit the issue remotely with low attack complexity and no user interaction required, resulting in full control over confidentiality, integrity, and availability of the GLPI instance.

The referenced GitHub security advisories for the project state that the vulnerability is resolved by upgrading to version 10.0.16.

The associated EPSS score has remained flat at 0.0833 with no material rise after disclosure.

EU & UK References

Vulnerability details

GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. An authenticated technician user can upload a malicious PHP script and hijack the plugin loader to execute this malicious…

more

script. Upgrade to 10.0.16.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

glpi-project
glpi
0.85 — 10.0.16

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-73 CWE-94

Rejects externally supplied file or resource identifiers that fail validity checks.

addresses: CWE-94

Makes persistent code injection into loaded programs impossible when the executable image itself resides on hardware-protected read-only media.

addresses: CWE-94

Dynamically generated code can be produced and executed inside the isolated chamber, preventing host compromise from code-injection payloads.

addresses: CWE-94

Directly prevents execution of attacker-supplied code written into data memory regions.

References