CVE-2022-21720 — SQL Injection in Glpi

CWE-89 — SQL Injection2 documents2 sources

Severity

4.9MEDIUMNVD

EPSS

0.4%

top 38.85%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Glpi-project Glpi

Timeline

PublishedJan 28

Description

GLPI is a free asset and IT management software package. Prior to version 9.5.7, an entity administrator is capable of retrieving normally inaccessible data via SQL injection. Version 9.5.7 contains a patch for this issue. As a workaround, disabling the `Entities` update right prevents exploitation of this vulnerability.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:NExploitability: 1.2 | Impact: 3.6

Affected Packages1 packages

▶NVDglpi-project/glpi< 9.5.7

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

CVE-2022-21720: GLPI is a free asset and IT management software package↗2022-01-28

▶