CVE-2024-45608 – This SQL injection vulnerability in GLPI allows... (How to Fix)

Q: What is the severity of CVE-2024-45608?

CVE-2024-45608 has a CVSS score of 6.5 (MEDIUM). This SQL injection vulnerability in GLPI allows authenticated users to execute arbitrary SQL commands by manipulating their preference settings. The attack requires valid user credentials but can lead to data theft, modification, or deletion. All GLPI instances running vulnerable versions are affected.

📋 TL;DR

This SQL injection vulnerability in GLPI allows authenticated users to execute arbitrary SQL commands by manipulating their preference settings. The attack requires valid user credentials but can lead to data theft, modification, or deletion. All GLPI instances running vulnerable versions are affected.

💻 Affected Systems

Products:

GLPI

Versions: Versions before 10.0.17

Operating Systems: All platforms running GLPI

Default Config Vulnerable: ⚠️ Yes

Notes: All GLPI installations with authenticated users are vulnerable. The vulnerability is in the user preference functionality.

📦 What is this software?

Glpi by Glpi Project

View all CVEs affecting Glpi →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including exfiltration of sensitive data, privilege escalation to administrative access, or complete system takeover through SQL injection leading to remote code execution.

🟠

Likely Case

Unauthorized access to sensitive information stored in the database, including user credentials, asset details, and configuration data that could enable further attacks.

🟢

If Mitigated

Limited impact due to proper input validation, database permissions restrictions, and network segmentation preventing lateral movement.

🌐 Internet-Facing: HIGH

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access but the SQL injection technique is straightforward once credentials are obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 10.0.17

Vendor Advisory: https://github.com/glpi-project/glpi/security/advisories/GHSA-67p8-v79j-jp86

Restart Required: No

Instructions:

1. Backup your GLPI database and files. 2. Download GLPI 10.0.17 or newer from the official repository. 3. Follow the GLPI upgrade documentation to update your installation. 4. Verify the upgrade completed successfully.

🔧 Temporary Workarounds

Input Validation Enhancement

all

Implement additional input validation for user preference parameters

Database Permission Restriction

all

Limit database user permissions to SELECT only for non-administrative functions

🧯 If You Can't Patch

Implement web application firewall (WAF) rules to block SQL injection patterns
Restrict user access to only necessary functions and implement principle of least privilege

🔍 How to Verify

Check if Vulnerable:

Check GLPI version via the web interface (Setup > General > Information) or by examining the GLPI installation files.

Check Version:

Check GLPI web interface or examine inc/config.php for version information

Verify Fix Applied:

Confirm version is 10.0.17 or higher and test user preference functionality for SQL injection attempts.

📡 Detection & Monitoring

Log Indicators:

Unusual SQL queries in database logs
Multiple preference update attempts from single user
Error messages containing SQL syntax

Network Indicators:

Unusual database connection patterns
Large data transfers from database server

SIEM Query:

source="glpi_logs" AND (message="*SQL*" OR message="*syntax*" OR message="*preference*")

📊 Metadata

CVE ID: CVE-2024-45608

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-89

Published: November 15, 2024

Last Updated: November 20, 2024

🔗 References

https://github.com/glpi-project/glpi/security/advisories/GHSA-67p8-v79j-jp86 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-45608, you might also want to check these: