Cyber Resilience

CVE-2024-40638

High

Published: 15 November 2024

Published
15 November 2024
Modified
20 November 2024
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.1240 94.1th percentile
Risk Priority 24 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-40638 is a high-severity SQL Injection (CWE-89) vulnerability in Glpi-Project Glpi. Its CVSS base score is 8.1 (High).

Operationally, ranked in the top 5.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

GLPI, a free asset and IT management software package, contains multiple SQL injection vulnerabilities tracked under CVE-2024-40638 and CWE-89. An authenticated user can exploit these flaws, with one instance allowing modification of another user account's data to assume control of it. The issue carries a CVSS 3.1 score of 8.1 reflecting network-accessible attack vector, low complexity, and high impact on confidentiality and integrity.

An authenticated attacker with low privileges can supply crafted input to trigger the SQL injections and achieve account takeover without user interaction. This enables escalation from a standard user account to control of higher-privileged accounts within the GLPI instance.

The official advisory published in the GLPI GitHub repository recommends immediate upgrade to version 10.0.17 to remediate the vulnerabilities. No other specific configuration changes or workarounds are detailed in the reference.

The EPSS score reached a peak of 0.1527 with a current value of 0.1240, indicating moderate and slightly declining exploitation interest since disclosure.

EU & UK References

Vulnerability details

GLPI is a free asset and IT management software package. An authenticated user can exploit multiple SQL injection vulnerabilities. One of them can be used to alter another user account data and take control of it. Upgrade to 10.0.17.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

glpi-project
glpi
0.85 — 10.0.17

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-89

Penetration testing uses SQL injection payloads against database interfaces, identifying and supporting fixes for SQL injection weaknesses.

addresses: CWE-89

Validates query inputs to prevent SQL syntax or command manipulation.

References