CVE-2022-36112

Published: Sep 14, 2022

Modified: Apr 23, 2025

PUBLISHED

CVSS v3.1

3.5

LOW

Description

GLPI stands for Gestionnaire Libre de Parc Informatique and is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. Usage of RSS feeds or extenal calendar in planning is subject to SSRF exploit. Server-side requests can be used to scan server port or services opened on GLPI server or its private network. Queries responses are not exposed to end-user (blind SSRF). Users are advised to upgrade to version 10.0.3 to resolve this issue. There are no known workarounds.

Vendor	Product	Versions
glpi-project	glpi	affected `< 10.0.3`

Weaknesses (CWE)

CWE-918

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

Low

Integrity

None

Availability

None

References

https://github.com/glpi-project/glpi/security/advisories/GHSA-rqgx-gqhp-x8vv

x_refsource_CONFIRM

https://github.com/glpi-project/glpi/commit/ad66d69049ae02bead8ed0f4ee654a458643244e

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2022-36112

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References