First published: Thu Nov 03 2022(Updated: )
GLPI stands for Gestionnaire Libre de Parc Informatique. GLPI is a Free Asset and IT Management Software package that provides ITIL Service Desk features, licenses tracking and software auditing. Usage of RSS feeds or an external calendar in planning is subject to SSRF exploit. In case a remote script returns a redirect response, the redirect target URL is not checked against the URL allow list defined by administrator. This issue has been patched, please upgrade to 10.0.4. There are currently no known workarounds.
Credit: security-advisories@github.com
Affected Software | Affected Version | How to fix |
---|---|---|
GLPI-PROJECT GLPI | <10.0.4 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2022-39276 is a vulnerability in GLPI, an IT asset and management software package, that allows for SSRF (Server-Side Request Forgery) exploit through the usage of RSS feeds or an external calendar in planning.
CVE-2022-39276 has a severity rating of 5.3 (Medium).
CVE-2022-39276 affects GLPI versions up to and exclusive of 10.0.4, allowing for SSRF exploit through the usage of RSS feeds or an external calendar in planning.
To fix the CVE-2022-39276 vulnerability, it is recommended to update GLPI to a version beyond 10.0.4 where the vulnerability has been patched.
More information about CVE-2022-39276 can be found at the following references: [GitHub Advisory](https://github.com/glpi-project/glpi/security/advisories/GHSA-8vwg-7x42-7v6p) and [Huntr](https://huntr.dev/bounties/7a88f92b-1ee2-4ca8-9cf8-05fcf6cfe73f/).