CVE-2023-36808 – This SQL injection vulnerability in GLPI allows... (How to Fix)

Q: What is the severity of CVE-2023-36808?

CVE-2023-36808 has a CVSS score of 8.6 (HIGH). This SQL injection vulnerability in GLPI allows attackers to execute arbitrary SQL commands through the Computer Virtual Machine form and inventory request features. All GLPI installations running versions 0.80 through 10.0.7 are affected. Successful exploitation could lead to data theft, modification, or complete system compromise.

📋 TL;DR

This SQL injection vulnerability in GLPI allows attackers to execute arbitrary SQL commands through the Computer Virtual Machine form and inventory request features. All GLPI installations running versions 0.80 through 10.0.7 are affected. Successful exploitation could lead to data theft, modification, or complete system compromise.

💻 Affected Systems

Products:

GLPI

Versions: 0.80 through 10.0.7

Operating Systems: All platforms running GLPI

Default Config Vulnerable: ⚠️ Yes

Notes: All GLPI installations with default configuration are vulnerable if using native inventory features.

📦 What is this software?

Glpi by Glpi Project

View all CVEs affecting Glpi →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise allowing data exfiltration, privilege escalation, and potential remote code execution on the underlying server.

🟠

Likely Case

Unauthorized access to sensitive IT asset data, user credentials, and potential lateral movement within the network.

🟢

If Mitigated

Limited impact with proper input validation and database permissions, potentially only allowing data viewing without modification.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

SQL injection vulnerabilities typically have low exploitation complexity, but specific exploit details are not publicly documented.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 10.0.8

Vendor Advisory: https://github.com/glpi-project/glpi/security/advisories/GHSA-vf5h-jh9q-2gjm

Restart Required: No

Instructions:

1. Backup your GLPI database and files. 2. Download GLPI 10.0.8 from official repository. 3. Follow GLPI upgrade documentation to apply the update. 4. Verify the update completed successfully.

🔧 Temporary Workarounds

Disable Native Inventory

all

Disable GLPI's native inventory feature to prevent exploitation through inventory requests.

Edit GLPI configuration to disable inventory features

🧯 If You Can't Patch

Implement strict input validation and parameterized queries at application layer
Apply network segmentation and restrict access to GLPI instance

🔍 How to Verify

Check if Vulnerable:

Check GLPI version via web interface or by examining version files in installation directory.

Check Version:

Check GLPI web interface or examine config/glpicrypt.key file version

Verify Fix Applied:

Verify GLPI version is 10.0.8 or higher and test inventory functionality.

📡 Detection & Monitoring

Log Indicators:

Unusual SQL queries in database logs
Multiple failed inventory requests
Suspicious patterns in web server access logs

Network Indicators:

Unusual database connection patterns
Excessive inventory requests from single source

SIEM Query:

Search for patterns like 'UNION SELECT', 'OR 1=1', or other SQL injection attempts in web logs

📊 Metadata

CVE ID: CVE-2023-36808

CVSS v3 Score: 8.6 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

CWE: CWE-89

Published: July 5, 2023

Last Updated: November 21, 2024

🔗 References

https://github.com/glpi-project/glpi/releases/tag/10.0.8 Release Notes
https://github.com/glpi-project/glpi/security/advisories/GHSA-vf5h-jh9q-2gjm Vendor Advisory
https://github.com/glpi-project/glpi/releases/tag/10.0.8 Release Notes
https://github.com/glpi-project/glpi/security/advisories/GHSA-vf5h-jh9q-2gjm Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-36808, you might also want to check these: