CVE-2024-37149 – Authenticated technician users in GLPI can uplo... (How to Fix)

Q: What is the severity of CVE-2024-37149?

CVE-2024-37149 has a CVSS score of 7.2 (HIGH). Authenticated technician users in GLPI can upload malicious PHP scripts and hijack the plugin loader to execute arbitrary code. This affects GLPI installations with technician user accounts that have upload privileges.

📋 TL;DR

Authenticated technician users in GLPI can upload malicious PHP scripts and hijack the plugin loader to execute arbitrary code. This affects GLPI installations with technician user accounts that have upload privileges.

💻 Affected Systems

Products:

GLPI

Versions: Versions before 10.0.16

Operating Systems: All platforms running GLPI

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated technician user with upload capabilities.

📦 What is this software?

Glpi by Glpi Project

View all CVEs affecting Glpi →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full server compromise leading to data theft, lateral movement, and complete system control.

🟠

Likely Case

Unauthorized code execution within the GLPI application context, potentially accessing sensitive IT asset data.

🟢

If Mitigated

Limited impact if proper file upload restrictions and user privilege controls are implemented.

🌐 Internet-Facing: HIGH - Internet-facing GLPI instances are directly accessible to attackers who obtain technician credentials.

🏢 Internal Only: MEDIUM - Internal instances still vulnerable to insider threats or compromised internal accounts.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access but is straightforward once credentials are obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 10.0.16

Vendor Advisory: https://github.com/glpi-project/glpi/security/advisories/GHSA-cwvp-j887-m4xh

Restart Required: No

Instructions:

1. Backup your GLPI database and files. 2. Download GLPI 10.0.16 or newer. 3. Follow the official GLPI upgrade procedure. 4. Verify the upgrade completed successfully.

🔧 Temporary Workarounds

Restrict file uploads

all

Limit file upload capabilities for technician users to prevent malicious PHP uploads.

Implement WAF rules

all

Add web application firewall rules to block PHP file uploads and suspicious plugin loader requests.

🧯 If You Can't Patch

Implement strict user access controls and limit technician privileges
Monitor file upload directories for PHP files and implement real-time alerting

🔍 How to Verify

Check if Vulnerable:

Check GLPI version in administration panel or via 'php glpi/console version' command.

Check Version:

php glpi/console version

Verify Fix Applied:

Confirm version is 10.0.16 or higher and test that PHP file uploads are properly restricted.

📡 Detection & Monitoring

Log Indicators:

Unusual file uploads to GLPI directories
PHP file execution in plugin directories
Multiple failed upload attempts

Network Indicators:

HTTP POST requests with PHP file uploads to GLPI endpoints
Unusual outbound connections from GLPI server

SIEM Query:

source="glpi.log" AND ("upload" OR "plugin") AND ("php" OR "exec")

📊 Metadata

CVE ID: CVE-2024-37149

CVSS v3 Score: 7.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-73

Published: July 10, 2024

Last Updated: January 7, 2025

🔗 References

https://github.com/glpi-project/glpi/security/advisories/GHSA-cwvp-j887-m4xh Vendor Advisory
https://github.com/glpi-project/glpi/security/advisories/GHSA-cwvp-j887-m4xh Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-37149, you might also want to check these: