CVE-2024-40638
Published: 15 November 2024
Summary
CVE-2024-40638 is a high-severity SQL Injection (CWE-89) vulnerability in Glpi-Project Glpi. Its CVSS base score is 8.1 (High).
Operationally, ranked in the top 5.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
GLPI, a free asset and IT management software package, contains multiple SQL injection vulnerabilities tracked under CVE-2024-40638 and CWE-89. An authenticated user can exploit these flaws, with one instance allowing modification of another user account's data to assume control of it. The issue carries a CVSS 3.1 score of 8.1 reflecting network-accessible attack vector, low complexity, and high impact on confidentiality and integrity.
An authenticated attacker with low privileges can supply crafted input to trigger the SQL injections and achieve account takeover without user interaction. This enables escalation from a standard user account to control of higher-privileged accounts within the GLPI instance.
The official advisory published in the GLPI GitHub repository recommends immediate upgrade to version 10.0.17 to remediate the vulnerabilities. No other specific configuration changes or workarounds are detailed in the reference.
The EPSS score reached a peak of 0.1527 with a current value of 0.1240, indicating moderate and slightly declining exploitation interest since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-38552
Vulnerability details
GLPI is a free asset and IT management software package. An authenticated user can exploit multiple SQL injection vulnerabilities. One of them can be used to alter another user account data and take control of it. Upgrade to 10.0.17.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.