CVE-2024-47758
📋 TL;DR
This vulnerability in GLPI allows authenticated users to take control of other user accounts with equal or lower privilege levels via API exploitation. It affects GLPI installations from version 9.3.0 up to but not including 10.0.17. Any organization using vulnerable GLPI versions with authenticated users is at risk.
💻 Affected Systems
- GLPI
📦 What is this software?
Glpi by Glpi Project
⚠️ Risk & Real-World Impact
Worst Case
An authenticated attacker could escalate privileges to administrative level, compromise all user accounts, exfiltrate sensitive IT asset data, and potentially pivot to other systems.
Likely Case
Malicious insider or compromised user account takes over other user accounts, leading to unauthorized access to IT asset management data and potential privilege escalation.
If Mitigated
With proper access controls and monitoring, impact is limited to unauthorized access within the same privilege level, with detection of suspicious account activity.
🎯 Exploit Status
Exploitation requires authenticated access but appears straightforward based on advisory description.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 10.0.17
Vendor Advisory: https://github.com/glpi-project/glpi/security/advisories/GHSA-3r4x-6pmx-phwr
Restart Required: No
Instructions:
1. Backup your GLPI database and files. 2. Download GLPI 10.0.17 from official repository. 3. Follow GLPI upgrade documentation for your version. 4. Verify upgrade completed successfully.
🔧 Temporary Workarounds
Restrict API Access
allTemporarily disable or restrict API access for non-administrative users
# Modify GLPI configuration to restrict API endpoints
# Review and update .htaccess or web server configuration
Network Segmentation
linuxRestrict access to GLPI instance to trusted networks only
# Configure firewall rules to limit GLPI access
iptables -A INPUT -p tcp --dport 80 -s trusted_network -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -s trusted_network -j ACCEPT
🧯 If You Can't Patch
- Implement strict access controls and monitor for unusual account activity
- Disable API functionality for all non-essential users
🔍 How to Verify
Check if Vulnerable:
Check GLPI version via web interface or by examining version files in installation directoryCheck Version:
grep -r 'define.*GLPI_VERSION' /path/to/glpi/install/ 2>/dev/null || cat /path/to/glpi/inc/define.php | grep GLPI_VERSIONVerify Fix Applied:
Verify version is 10.0.17 or later and test API functionality with non-admin users📡 Detection & Monitoring
Log Indicators:
- Unusual API calls from non-admin users
- Multiple failed login attempts followed by successful login from different IP
- User privilege changes via API
Network Indicators:
- Unusual API request patterns
- Multiple account takeover attempts from single source
SIEM Query:
source="glpi_logs" AND (event="api_call" AND user!="admin" AND action="user_modify") OR (event="login" AND result="success" AND ip_changed=true)