CVE-2024-47760
📋 TL;DR
GLPI versions 9.1.0 through 10.0.16 contain an API vulnerability where authenticated technicians can escalate privileges to higher-level accounts. This allows attackers with existing technician access to compromise administrative or other privileged accounts. Organizations using affected GLPI versions with API access enabled are at risk.
💻 Affected Systems
- GLPI
📦 What is this software?
Glpi by Glpi Project
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise where an attacker gains administrative control, accesses sensitive data, modifies configurations, and potentially deploys malware or ransomware across the IT infrastructure.
Likely Case
Privilege escalation leading to unauthorized access to sensitive IT asset data, user information, and configuration settings, potentially enabling further lateral movement within the network.
If Mitigated
Limited impact if proper access controls, network segmentation, and monitoring are in place, with potential detection of unusual API activity before significant damage occurs.
🎯 Exploit Status
Exploitation requires valid technician credentials and API access. The advisory suggests the vulnerability is in API endpoint handling.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 10.0.17
Vendor Advisory: https://github.com/glpi-project/glpi/security/advisories/GHSA-r3mx-fr5f-gwgp
Restart Required: Yes
Instructions:
1. Backup your GLPI database and files. 2. Download GLPI 10.0.17 from the official releases. 3. Follow the GLPI upgrade documentation for your version. 4. Restart your web server and verify the upgrade.
🔧 Temporary Workarounds
Disable API Access
allTemporarily disable GLPI API access to prevent exploitation while planning upgrade
Edit GLPI configuration to disable API: Set $CFG_GLPI['enable_api'] = false; in config/config.php
Restrict API Access
allLimit API access to specific IP addresses or networks
Configure web server (Apache/Nginx) to restrict access to /api/* endpoints to trusted IPs only
🧯 If You Can't Patch
- Implement strict network segmentation to isolate GLPI servers from critical systems
- Enhance monitoring of API logs for unusual privilege escalation attempts
🔍 How to Verify
Check if Vulnerable:
Check GLPI version via Administration > General > About. If version is between 9.1.0 and 10.0.16 inclusive, the system is vulnerable.Check Version:
Check GLPI web interface at /index.php?redirect=front/central.php or examine config/glpicrypt.key file versionVerify Fix Applied:
After upgrade, verify version shows 10.0.17 or higher in Administration > General > About. Test API functionality with technician credentials to ensure normal operation.📡 Detection & Monitoring
Log Indicators:
- Unusual API requests from technician accounts attempting privilege escalation
- Multiple failed login attempts followed by successful API access
- API requests modifying user permissions or accessing admin endpoints
Network Indicators:
- Unusual API traffic patterns from technician IP addresses
- API requests to user management endpoints from non-admin accounts
SIEM Query:
source="glpi_logs" AND (api_access="true" AND user_role="technician" AND (endpoint="user" OR endpoint="profile" OR endpoint="permission"))