CVE-2022-31056
📋 TL;DR
CVE-2022-31056 is a critical SQL injection vulnerability in GLPI's assistance forms (Ticket/Change/Problem) that allows attackers to execute arbitrary SQL commands. All GLPI users running affected versions are vulnerable, potentially leading to data theft, privilege escalation, or remote code execution. The vulnerability specifically affects actor fields in assistance forms.
💻 Affected Systems
- GLPI
📦 What is this software?
Glpi by Glpi Project
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete system compromise, data exfiltration, and lateral movement within the network.
Likely Case
Database compromise leading to sensitive data exposure, privilege escalation, and potential administrative access to the GLPI system.
If Mitigated
Limited impact with proper input validation and database permissions, potentially only allowing data viewing without modification.
🎯 Exploit Status
Exploitation requires access to assistance forms, which typically requires authentication, but the SQL injection itself is straightforward.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 10.0.2
Vendor Advisory: https://github.com/glpi-project/glpi/security/advisories/GHSA-9q9x-7xxh-w4cg
Restart Required: No
Instructions:
1. Backup your GLPI database and files. 2. Download GLPI version 10.0.2 or later from the official repository. 3. Follow the GLPI upgrade documentation to update your installation. 4. Verify the update completed successfully.
🔧 Temporary Workarounds
Input Validation Filter
allImplement custom input validation for actor fields in assistance forms to filter SQL injection attempts.
Web Application Firewall
allDeploy a WAF with SQL injection protection rules to block exploitation attempts.
🧯 If You Can't Patch
- Restrict access to GLPI assistance forms to only trusted users and networks.
- Implement database-level controls to limit the impact of SQL injection (principle of least privilege).
🔍 How to Verify
Check if Vulnerable:
Check your GLPI version via the web interface (Setup > General > Information) or by examining the GLPI files.Check Version:
Check the GLPI web interface at Setup > General > Information or examine the GLPI installation directory for version files.Verify Fix Applied:
Confirm GLPI version is 10.0.2 or higher and test assistance forms for SQL injection using safe testing methods.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in database logs
- Multiple failed login attempts followed by assistance form access
- Suspicious patterns in GLPI application logs
Network Indicators:
- Unusual HTTP POST requests to assistance form endpoints with SQL syntax in parameters
SIEM Query:
source="glpi_logs" AND ("sql" OR "injection" OR "UNION" OR "SELECT" OR "FROM")🔗 References
- http://packetstormsecurity.com/files/171656/GLPI-10.0.2-SQL-Injection-Remote-Code-Execution.html
- https://github.com/glpi-project/glpi/security/advisories/GHSA-9q9x-7xxh-w4cg
- http://packetstormsecurity.com/files/171656/GLPI-10.0.2-SQL-Injection-Remote-Code-Execution.html
- https://github.com/glpi-project/glpi/security/advisories/GHSA-9q9x-7xxh-w4cg
