CVE-2023-46726 – This vulnerability allows authenticated attacke... (How to Fix)

Q: What is the severity of CVE-2023-46726?

CVE-2023-46726 has a CVSS score of 7.2 (HIGH). This vulnerability allows authenticated attackers to execute arbitrary code on GLPI servers running PHP 7.4 by exploiting the LDAP server configuration form to run malicious code uploaded as GLPI documents. It affects GLPI versions 10.0.0 through 10.0.10 when running on PHP 7.4 specifically. Organizations using vulnerable GLPI installations with authenticated user access are at risk.

📋 TL;DR

This vulnerability allows authenticated attackers to execute arbitrary code on GLPI servers running PHP 7.4 by exploiting the LDAP server configuration form to run malicious code uploaded as GLPI documents. It affects GLPI versions 10.0.0 through 10.0.10 when running on PHP 7.4 specifically. Organizations using vulnerable GLPI installations with authenticated user access are at risk.

💻 Affected Systems

Products:

GLPI

Versions: 10.0.0 to 10.0.10

Operating Systems: Any OS running PHP 7.4

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems running PHP 7.4 specifically; PHP 8.x versions are not vulnerable.

📦 What is this software?

Glpi by Glpi Project

View all CVEs affecting Glpi →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing attackers to execute arbitrary code, potentially leading to data theft, lateral movement, or ransomware deployment.

🟠

Likely Case

Authenticated attackers gaining remote code execution to compromise the GLPI server and potentially pivot to other systems.

🟢

If Mitigated

Limited impact if proper access controls, network segmentation, and monitoring are in place to detect exploitation attempts.

🌐 Internet-Facing: HIGH if GLPI is exposed to the internet with authenticated user access, as attackers can exploit remotely.

🏢 Internal Only: MEDIUM for internal GLPI instances, as authenticated malicious insiders or compromised accounts could exploit the vulnerability.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires authenticated access to GLPI and ability to upload documents, but exploitation details are publicly documented in the advisory.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 10.0.11

Vendor Advisory: https://github.com/glpi-project/glpi/security/advisories/GHSA-qc92-gxc6-5f95

Restart Required: No

Instructions:

1. Backup your GLPI installation and database. 2. Download GLPI 10.0.11 from the official repository. 3. Replace existing files with the patched version. 4. Run the update script via web interface or command line. 5. Verify the update completed successfully.

🔧 Temporary Workarounds

Upgrade PHP to 8.x

linux

Migrate from PHP 7.4 to PHP 8.x since the vulnerability only affects PHP 7.4 environments.

sudo apt update && sudo apt install php8.2
sudo systemctl restart apache2

Restrict Document Uploads

all

Temporarily disable or heavily restrict document upload functionality in GLPI to prevent malicious code upload.

🧯 If You Can't Patch

Implement strict access controls to limit who can access the LDAP configuration form and document upload features.
Deploy network segmentation to isolate GLPI servers from critical systems and implement robust monitoring for suspicious activities.

🔍 How to Verify

Check if Vulnerable:

Check GLPI version via web interface (Setup > General > About) or command line: grep 'GLPI_VERSION' config/config.php

Check Version:

grep 'GLPI_VERSION' /var/www/html/glpi/config/config.php

Verify Fix Applied:

Verify version is 10.0.11 or higher and check that PHP version is not 7.4 if not patched.

📡 Detection & Monitoring

Log Indicators:

Unusual LDAP configuration changes
Suspicious document uploads with executable extensions
Unexpected PHP process execution

Network Indicators:

Unusual outbound connections from GLPI server
Traffic to unexpected ports or IPs

SIEM Query:

source="glpi_logs" AND (event="ldap_config_change" OR event="document_upload") AND user!="admin"

📊 Metadata

CVE ID: CVE-2023-46726

CVSS v3 Score: 7.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-74

Published: December 13, 2023

Last Updated: November 21, 2024

🔗 References

https://github.com/glpi-project/glpi/commit/42ba2b031bec0b3889317db25f3adf9080fc11b2 Patch
https://github.com/glpi-project/glpi/releases/tag/10.0.11 Release Notes
https://github.com/glpi-project/glpi/security/advisories/GHSA-qc92-gxc6-5f95 Third Party Advisory
https://github.com/glpi-project/glpi/commit/42ba2b031bec0b3889317db25f3adf9080fc11b2 Patch
https://github.com/glpi-project/glpi/releases/tag/10.0.11 Release Notes
https://github.com/glpi-project/glpi/security/advisories/GHSA-qc92-gxc6-5f95 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-46726, you might also want to check these: