Vulnerability Description
GLPI stands for Gestionnaire Libre de Parc Informatique and is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. Affected versions have been found to be vulnerable to a SQL injection attack which an attacker could leverage to simulate an arbitrary user login. Users are advised to upgrade to version 10.0.3. Users unable to upgrade should disable the `Enable login with external token` API configuration.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Glpi-Project | Glpi | < 10.0.3 |
Related Weaknesses (CWE)
References
- https://github.com/glpi-project/glpi/commit/564309d2c1180d5ba1615f4bbaf6623df81bPatchThird Party Advisory
- https://github.com/glpi-project/glpi/security/advisories/GHSA-7p3q-cffg-c8xhThird Party Advisory
- https://github.com/glpi-project/glpi/commit/564309d2c1180d5ba1615f4bbaf6623df81bPatchThird Party Advisory
- https://github.com/glpi-project/glpi/security/advisories/GHSA-7p3q-cffg-c8xhThird Party Advisory
FAQ
What is CVE-2022-35947?
CVE-2022-35947 is a vulnerability with a CVSS score of 10.0 (CRITICAL). GLPI stands for Gestionnaire Libre de Parc Informatique and is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. Affec...
How severe is CVE-2022-35947?
CVE-2022-35947 has been rated CRITICAL with a CVSS base score of 10.0/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2022-35947?
Check the references section above for vendor advisories and patch information. Affected products include: Glpi-Project Glpi.