CVE-2024-27098
published 2024-03-18CVE-2024-27098: GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. An authenticated…
PriorityP274critical9.6CVSS 3.1
AVNACLPRLUINSCCHIHAN
EPSS
37.53%
98.3th percentile
GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. An authenticated user can execute a SSRF based attack using Arbitrary Object Instantiation. This issue has been patched in version 10.0.13.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| glpi-project | glpi | — | — |
| glpi-project | glpi | >= 9.5.0 < 10.0.13 | 10.0.13 |
Detection & IOCsextracted from sources · hover to see the quote
url/front/itilsolution.form.php
bytes
items_id|3d|
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS GLPI Authenticated Server-Side Request Forgery via Arbitrary Object Instantiation (CVE-2024-27098)"; flow:established,to_server; http.uri; content:"/front/itilsolution.form.php"; fast_pattern; http.request_body; content:"items_id|3d|"; pcre:"/^[^&]*?\w+\x3a\x2f{2}/R"; reference:url,blog.quarkslab.com/exploiting-glpi-during-a-red-team-engagement.html; reference:cve,2024-27098; classtype:web-application-attack; sid:2067157; rev:1; metadata:affected_product GLPI, attack_target Server, tls_state TLSDecrypt, created_at 2026_01_28, cve CVE_2024_27098, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, updated_at 2026_01_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)- →Attack targets POST body of /front/itilsolution.form.php — monitor HTTP requests to this endpoint for SSRF payloads in the items_id parameter
- →PCRE pattern detects a URI scheme (e.g., http://, ftp://, gopher://) embedded in the items_id parameter value, indicating an Arbitrary Object Instantiation SSRF attempt
- →Attack requires an authenticated session; correlate with prior successful login events before flagging SSRF attempts ↗
- →Exploit technique and additional context documented at Quarkslab blog — useful for understanding full attack chain
- →Rule is classified as web-application-attack targeting the destination server; deploy at perimeter, internal, and SSL-decrypting inspection points
- ·The Snort/Suricata rule metadata specifies tls_state TLSDecrypt — the rule will only fire on TLS-encrypted traffic if SSL/TLS inspection (decryption) is enabled on the sensor
- ·This vulnerability is patched in GLPI version 10.0.13; detections on patched hosts may indicate exploitation attempts against unpatched instances or lateral movement ↗
CVSS provenance
nvdv3.19.6CRITICALCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
osv9.6CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
ET WEB_SPECIFIC_APPS GLPI Authenticated Server-Side Request Forgery via Arbitrary Object Instantiation (CVE-2024-27098)
suricata·2026-01-28·CVSS 6.4
CVE-2024-27098 [MEDIUM] ET WEB_SPECIFIC_APPS GLPI Authenticated Server-Side Request Forgery via Arbitrary Object Instantiation (CVE-2024-27098)
ET WEB_SPECIFIC_APPS GLPI Authenticated Server-Side Request Forgery via Arbitrary Object Instantiation (CVE-2024-27098)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS GLPI Authenticated Server-Side Request Forgery via Arbitrary Object Instantiation (CVE-2024-27098)"; flow:established,to_server; http.uri; content:"/front/itilsolution.form.php"; fast_pattern; http.request_body; content:"items_id|3d|"; pcre:"/^[^&]*?\w+\x3a\x2f{2}/R"; reference:url,blog.quarkslab.com/exploiting-glpi-during-a-red-team-engagement.html; reference:cve,2024-27098; classtype:web-application-attack; sid:2067157; rev:1; metadata:affected_product GLPI, attack_target Server, tls_state TLSDecrypt, created_at 2026_01_28, cve CVE_2024_27098, deployment Perimeter, deployment Internal, deployment SSLD
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/glpi-project/glpi/commit/3b6bc1b4aa1f3693b20ada3425d2de5108522484https://github.com/glpi-project/glpi/releases/tag/10.0.13https://github.com/glpi-project/glpi/security/advisories/GHSA-92x4-q9w5-837whttps://github.com/glpi-project/glpi/commit/3b6bc1b4aa1f3693b20ada3425d2de5108522484https://github.com/glpi-project/glpi/releases/tag/10.0.13https://github.com/glpi-project/glpi/security/advisories/GHSA-92x4-q9w5-837w
2024-03-18
Published