CVE-2022-31061 — SQL Injection in Glpi

CWE-89 — SQL Injection3 documents3 sources

Severity

9.8CRITICALNVD

EPSS

51.8%

top 2.09%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Glpi-project Glpi

Timeline

PublishedJun 28

Latest updateJan 28

Description

GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. In affected versions there is a SQL injection vulnerability which is possible on login page. No user credentials are required to exploit this vulnerability. Users are advised to upgrade as soon as possible. There are no known workarounds for this issue.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

▶NVDglpi-project/glpi9.3.0 — 9.5.8+1

▶CVEListV5glpi-project/glpi>= 10.0.0, < 10.0.2, >= 9.3.0, < 9.5.8+1

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

CVE-2022-31061: GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing↗2022-06-28

▶

🔍Detection Rules

Suricata

ET WEB_SPECIFIC_APPS GLPI Unauthenticated SQL Injection via Login (CVE-2022-31061)↗2026-01-28

▶