CVE-2022-36112: Blind Server-Side Request Forgery (SSRF) in GLPI
First published: Wed Sep 14 2022(Updated: )
GLPI stands for Gestionnaire Libre de Parc Informatique and is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. Usage of RSS feeds or extenal calendar in planning is subject to SSRF exploit. Server-side requests can be used to scan server port or services opened on GLPI server or its private network. Queries responses are not exposed to end-user (blind SSRF). Users are advised to upgrade to version 10.0.3 to resolve this issue. There are no known workarounds.
Credit: security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| GLPI | <10.0.3 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is GLPI?
GLPI stands for Gestionnaire Libre de Parc Informatique and is a Free Asset and IT Management Software package.
What are the features of GLPI?
GLPI provides ITIL Service Desk features, licenses tracking, and software auditing.
What is CVE-2022-36112?
CVE-2022-36112 is a vulnerability that allows SSRF exploit using RSS feeds or external calendar in planning in GLPI versions up to 10.0.3.
What is the severity of CVE-2022-36112?
The severity of CVE-2022-36112 is medium with a CVSS score of 5.8.
How can I mitigate CVE-2022-36112?
To mitigate CVE-2022-36112, it is recommended to update to a version higher than 10.0.3 and apply the necessary patches.
- agent/references
- agent/type
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/remedy
- agent/last-modified-date
- agent/title
- agent/weakness
- agent/author
- agent/description
- agent/first-publish-date
- agent/event
- agent/source
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/glpi-project
- canonical/glpi