CVE-2024-38370 – This vulnerability in GLPI allows unauthorized ... (How to Fix)

Q: What is the severity of CVE-2024-38370?

CVE-2024-38370 has a CVSS score of 5.3 (MEDIUM). This vulnerability in GLPI allows unauthorized users to download documents via the API without proper authentication. It affects GLPI installations running versions 9.2.0 through 10.0.15. Users with access to the API endpoint can exploit this to access sensitive documents they shouldn't have permission to view.

📋 TL;DR

This vulnerability in GLPI allows unauthorized users to download documents via the API without proper authentication. It affects GLPI installations running versions 9.2.0 through 10.0.15. Users with access to the API endpoint can exploit this to access sensitive documents they shouldn't have permission to view.

💻 Affected Systems

Products:

GLPI

Versions: 9.2.0 through 10.0.15

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems with API access enabled and document functionality in use.

📦 What is this software?

Glpi by Glpi Project

View all CVEs affecting Glpi →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker could download sensitive documents containing confidential information, credentials, or proprietary data, leading to data breach and compliance violations.

🟠

Likely Case

Unauthorized users accessing documents they shouldn't have permission to view, potentially exposing internal documentation or user-uploaded files.

🟢

If Mitigated

Limited exposure if API access is restricted to trusted networks and proper authentication controls are in place.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires access to the API endpoint but doesn't require authentication for the specific document download functionality.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 10.0.16

Vendor Advisory: https://github.com/glpi-project/glpi/security/advisories/GHSA-xrm2-m72w-w4x4

Restart Required: No

Instructions:

1. Backup your GLPI installation and database. 2. Download GLPI 10.0.16 or later from the official repository. 3. Follow the GLPI upgrade documentation to apply the update. 4. Verify the update was successful by checking the version.

🔧 Temporary Workarounds

Restrict API Access

all

Limit API access to trusted IP addresses or disable API functionality if not needed.

Configure web server (Apache/Nginx) to restrict access to /api/* endpoints

🧯 If You Can't Patch

Implement strict network segmentation to limit API access to authorized users only
Monitor API access logs for unauthorized document download attempts

🔍 How to Verify

Check if Vulnerable:

Check GLPI version via the web interface (Setup > General > Information) or by examining the GLPI installation files.

Check Version:

Check Setup > General > Information in GLPI web interface or examine inc/define.php file

Verify Fix Applied:

Verify version is 10.0.16 or later and test document download permissions through API with unauthorized user accounts.

📡 Detection & Monitoring

Log Indicators:

Unauthorized API requests to document download endpoints
Multiple failed authentication attempts followed by successful document downloads

Network Indicators:

Unusual patterns of API requests to document endpoints from unauthorized IPs

SIEM Query:

source="glpi_logs" AND (uri_path="/api/document/download" OR uri_path LIKE "/api/document/%/download") AND user="anonymous" OR auth_status="failed"

📊 Metadata

CVE ID: CVE-2024-38370

CVSS v3 Score: 5.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CWE: CWE-285

Published: November 15, 2024

Last Updated: February 10, 2025

🔗 References

https://github.com/glpi-project/glpi/security/advisories/GHSA-xrm2-m72w-w4x4 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-38370, you might also want to check these: