CVE-2024-48912
📋 TL;DR
This vulnerability in GLPI allows authenticated users to delete any user account via a specific application endpoint. It affects GLPI versions 10.0.0 through 10.0.16. Any organization using vulnerable GLPI versions with authenticated user access is at risk.
💻 Affected Systems
- GLPI
📦 What is this software?
Glpi by Glpi Project
⚠️ Risk & Real-World Impact
Worst Case
An attacker with authenticated access could delete all user accounts, including administrators, causing complete loss of access to the GLPI system and potential business disruption.
Likely Case
Malicious insider or compromised user account deletes targeted user accounts, disrupting operations and requiring account restoration.
If Mitigated
With proper access controls and monitoring, impact is limited to unauthorized deletion of some accounts that can be restored from backups.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once authenticated. The vulnerability is in a specific endpoint that can be accessed via web requests.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 10.0.17
Vendor Advisory: https://github.com/glpi-project/glpi/security/advisories/GHSA-vjmw-j32j-ph4f
Restart Required: No
Instructions:
1. Backup your GLPI database and files. 2. Download GLPI 10.0.17 from the official repository. 3. Follow the GLPI upgrade procedure for your installation method (manual, package manager, etc.). 4. Verify the upgrade completed successfully.
🔧 Temporary Workarounds
Restrict User Account Deletion Permissions
allTemporarily restrict user account deletion capabilities to only administrators while waiting to patch.
Configure GLPI user permissions to remove 'delete user' rights from non-admin users
Network Access Controls
allRestrict access to GLPI endpoints to only trusted IP addresses or networks.
Configure firewall/web server rules to limit access to GLPI application
🧯 If You Can't Patch
- Implement strict access controls and monitor user account deletion activities
- Regularly backup user account data and maintain restore procedures
🔍 How to Verify
Check if Vulnerable:
Check GLPI version via the web interface (Setup > General > Information) or by examining the GLPI installation files.Check Version:
Check GLPI web interface at Setup > General > Information or examine the GLPI installation directory for version files.Verify Fix Applied:
Verify GLPI version is 10.0.17 or higher and test that authenticated non-admin users cannot delete other user accounts.📡 Detection & Monitoring
Log Indicators:
- Unusual user deletion events in GLPI logs
- Multiple user deletion requests from single authenticated user
- User deletion requests targeting administrative accounts
Network Indicators:
- HTTP POST requests to user deletion endpoints from non-admin users
- Unusual patterns of account management requests
SIEM Query:
source="glpi_logs" AND (event="user_deletion" OR action="delete_user") AND user_role!="admin"