CVE-2023-28838 – This SQL injection vulnerability in GLPI allows... (How to Fix)

Q: What is the severity of CVE-2023-28838?

CVE-2023-28838 has a CVSS score of 9.6 (CRITICAL). This SQL injection vulnerability in GLPI allows authenticated users with statistics or reports access rights to execute arbitrary SQL queries. Attackers can extract all database data and potentially write webshells to the server, leading to complete system compromise. Users running GLPI versions 0.50 through 9.5.12 or 10.0.6 are affected.

📋 TL;DR

This SQL injection vulnerability in GLPI allows authenticated users with statistics or reports access rights to execute arbitrary SQL queries. Attackers can extract all database data and potentially write webshells to the server, leading to complete system compromise. Users running GLPI versions 0.50 through 9.5.12 or 10.0.6 are affected.

💻 Affected Systems

Products:

GLPI (Gestionnaire Libre de Parc Informatique)

Versions: 0.50 through 9.5.12, and 10.0.0 through 10.0.6

Operating Systems: All platforms running GLPI

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated user with statistics or reports read permissions. Default installations may grant these permissions to some user roles.

📦 What is this software?

Glpi by Glpi Project

View all CVEs affecting Glpi →

Glpi by Glpi Project

View all CVEs affecting Glpi →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database exfiltration, webshell deployment leading to full server compromise, lateral movement within network, and data destruction.

🟠

Likely Case

Unauthorized data extraction from GLPI database including sensitive information like user credentials, asset details, and configuration data.

🟢

If Mitigated

Limited impact with proper access controls and network segmentation, potentially only affecting GLPI application data.

🌐 Internet-Facing: HIGH - Internet-facing GLPI instances are directly accessible to attackers who can exploit this with valid credentials.

🏢 Internal Only: HIGH - Internal attackers or compromised accounts can exploit this to gain full database access and potentially compromise the server.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access but SQL injection is straightforward once authenticated. Public advisories include technical details.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 9.5.13 or 10.0.7

Vendor Advisory: https://github.com/glpi-project/glpi/security/advisories/GHSA-2c7r-gf38-358f

Restart Required: No

Instructions:

1. Backup your GLPI database and files. 2. Download GLPI 9.5.13 or 10.0.7 from official repository. 3. Follow GLPI upgrade documentation for your version. 4. Verify upgrade completed successfully.

🔧 Temporary Workarounds

Remove Statistics and Reports Permissions

all

Remove read rights from Assistance > Statistics and Tools > Reports for all users to prevent exploitation.

Navigate to GLPI admin panel > Setup > Profiles > Edit each profile > Uncheck 'Statistics' and 'Reports' read permissions

🧯 If You Can't Patch

Implement strict network segmentation to isolate GLPI server from critical systems
Enable detailed SQL query logging and monitor for suspicious database activity

🔍 How to Verify

Check if Vulnerable:

Check GLPI version in admin panel or via 'php glpi/console.php version' command. If version is between 0.50-9.5.12 or 10.0.0-10.0.6, system is vulnerable.

Check Version:

php glpi/console.php version

Verify Fix Applied:

Verify GLPI version is 9.5.13 or higher (for 9.x branch) or 10.0.7 or higher (for 10.x branch). Test statistics and reports functionality with limited user accounts.

📡 Detection & Monitoring

Log Indicators:

Unusually long SQL queries in GLPI logs
Multiple failed login attempts followed by statistics/reports access
Database queries with UNION statements or unusual syntax

Network Indicators:

Unusual outbound database connections from GLPI server
Large data transfers from GLPI database port

SIEM Query:

source="glpi_logs" AND (message="*SELECT*UNION*" OR message="*INSERT*INTO*" OR message="*webshell*" OR message="*statistics*" AND severity="CRITICAL")

📊 Metadata

CVE ID: CVE-2023-28838

CVSS v3 Score: 9.6 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

CWE: CWE-89

Published: April 5, 2023

Last Updated: November 21, 2024

🔗 References

https://github.com/glpi-project/glpi/releases/tag/10.0.7 Patch,Release Notes
https://github.com/glpi-project/glpi/releases/tag/9.5.13 Patch,Release Notes
https://github.com/glpi-project/glpi/security/advisories/GHSA-2c7r-gf38-358f Vendor Advisory
https://github.com/glpi-project/glpi/releases/tag/10.0.7 Patch,Release Notes
https://github.com/glpi-project/glpi/releases/tag/9.5.13 Patch,Release Notes
https://github.com/glpi-project/glpi/security/advisories/GHSA-2c7r-gf38-358f Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-28838, you might also want to check these: