CVE-2022-24867 – CVE-2022-24867 is an information disclosure vul... (How to Fix)

Q: What is the severity of CVE-2022-24867?

CVE-2022-24867 has a CVSS score of 7.5 (HIGH). CVE-2022-24867 is an information disclosure vulnerability in GLPI where the LDAP password is exposed in rendered page source code due to insufficient filtering of configuration variables passed to JavaScript. This affects all GLPI instances using LDAP authentication, potentially exposing sensitive directory service credentials to anyone who can view page source.

📋 TL;DR

CVE-2022-24867 is an information disclosure vulnerability in GLPI where the LDAP password is exposed in rendered page source code due to insufficient filtering of configuration variables passed to JavaScript. This affects all GLPI instances using LDAP authentication, potentially exposing sensitive directory service credentials to anyone who can view page source.

💻 Affected Systems

Products:

GLPI (Gestionnaire Libre de Parc Informatique)

Versions: All versions before 10.0.2

Operating Systems: All platforms running GLPI

Default Config Vulnerable: ✅ No

Notes: Only affects GLPI instances configured with LDAP authentication. The vulnerability requires LDAP to be enabled and configured.

📦 What is this software?

Glpi by Glpi Project

View all CVEs affecting Glpi →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers obtain LDAP directory service credentials, potentially gaining full access to directory services, compromising all user accounts, and enabling lateral movement across the network.

🟠

Likely Case

Unauthorized users access LDAP credentials, potentially compromising the LDAP directory and enabling privilege escalation or data exfiltration.

🟢

If Mitigated

With proper network segmentation and access controls, impact is limited to credential exposure requiring rotation and potential LDAP service compromise.

🌐 Internet-Facing: HIGH - Internet-facing GLPI instances expose LDAP credentials to anyone who can view page source, potentially compromising entire directory infrastructure.

🏢 Internal Only: MEDIUM - Internal-only instances still expose credentials to authenticated users, enabling insider threats and lateral movement.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires viewing page source code, which typically requires at least some level of access to the GLPI interface. The advisory confirms the vulnerability is easily exploitable.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 10.0.2 and later

Vendor Advisory: https://github.com/glpi-project/glpi/security/advisories/GHSA-4r49-52q9-5fgr

Restart Required: No

Instructions:

1. Backup your GLPI installation and database. 2. Download GLPI 10.0.2 or later from the official repository. 3. Replace existing files with new version. 4. Run the update script via web interface or command line. 5. Verify the update completed successfully.

🔧 Temporary Workarounds

Disable LDAP Authentication

all

Temporarily disable LDAP authentication until patching is complete

Edit GLPI configuration to remove LDAP settings or switch to local authentication

🧯 If You Can't Patch

Disable LDAP authentication immediately and rotate all exposed LDAP credentials
Implement strict access controls to limit who can view GLPI pages and inspect page source

🔍 How to Verify

Check if Vulnerable:

1. Log into GLPI with LDAP authentication enabled. 2. View page source (Ctrl+U in browser). 3. Search for 'ldap_pass' in the source code. If found with password value, system is vulnerable.

Check Version:

Check GLPI version via web interface (Setup > General > Information) or in config/glpicrypt.key file

Verify Fix Applied:

1. After patching, repeat the vulnerable check. 2. 'ldap_pass' should no longer appear in page source or should be properly filtered/obfuscated. 3. Verify GLPI version is 10.0.2 or higher.

📡 Detection & Monitoring

Log Indicators:

Unusual LDAP authentication attempts from unexpected sources
Multiple failed login attempts followed by successful LDAP authentication

Network Indicators:

Unexpected LDAP queries from GLPI server to directory services
Traffic patterns suggesting credential harvesting

SIEM Query:

source="glpi" AND ("ldap_pass" OR "password exposure" OR "credential leak")

📊 Metadata

CVE ID: CVE-2022-24867

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-200

Published: April 21, 2022

Last Updated: November 21, 2024

🔗 References

https://github.com/glpi-project/glpi/commit/26f0a20810db11641afdcf671bac7a309acbb94e Patch,Third Party Advisory
https://github.com/glpi-project/glpi/security/advisories/GHSA-4r49-52q9-5fgr Third Party Advisory
https://github.com/glpi-project/glpi/commit/26f0a20810db11641afdcf671bac7a309acbb94e Patch,Third Party Advisory
https://github.com/glpi-project/glpi/security/advisories/GHSA-4r49-52q9-5fgr Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-24867, you might also want to check these: