Multiple Critical Vulnerabilities Expose GLPI to Widespread Attacks

GLPI - CVE-2024-50339

A series of critical security vulnerabilities have been discovered in GLPI (Gestionnaire Libre de Parc Informatique), a widely used open-source IT asset management and service desk software. These vulnerabilities, if exploited, could allow attackers to hijack user sessions, delete accounts, and even take complete control of administrative accounts. Users are strongly urged to update to the latest version, 10.0.17, immediately.

The vulnerabilities, identified with CVE identifiers, pose significant risks to organizations relying on GLPI for their IT management needs. Here’s a breakdown of the key flaws:

  • CVE-2024-50339 (CVSS 9.3): Unauthenticated Session Hijacking: This is the most critical of the vulnerabilities, boasting a CVSS score of 9.3, indicating a critical severity. This flaw allows an unauthenticated attacker to retrieve all session IDs and use them to impersonate any logged-in user. This means an attacker doesn’t even need valid credentials to gain access to sensitive data and perform actions on behalf of legitimate users. This vulnerability poses an immediate and significant threat to any GLPI instance exposed to the internet.

  • CVE-2024-48912 (CVSS 7.2): Insecure Account Deletion: This vulnerability allows any authenticated user, even with limited privileges, to delete any user account within the GLPI system. This could be exploited by malicious insiders or compromised accounts to disrupt operations, delete critical accounts, or cover their tracks after other malicious activity.

  • CVE-2024-47760 (CVSS 7.5): Account Takeover via API: This vulnerability focuses on API access. A technician with access to the GLPI API can leverage this flaw to escalate their privileges and take control of accounts with higher permissions, potentially including administrative accounts.

  • CVE-2024-47761 (CVSS 7.5): Account Takeover via Password Reset: This vulnerability targets the password reset functionality. An administrator with access to the content of sent notifications (e.g., email server access) can exploit this flaw to take control of other user accounts, including those with higher privileges. This highlights the importance of securing not only the GLPI application itself but also related infrastructure like email servers.

The combined effect of these vulnerabilities paints a serious security picture for GLPI users. The ability for unauthenticated users to hijack sessions (CVE-2024-50339) is particularly alarming, as it opens the door to widespread attacks with minimal effort from the attacker.

The vendor has released GLPI version 10.0.17, which addresses all of these vulnerabilities. Users are strongly advised to upgrade to this version immediately to mitigate the risk of exploitation. Delaying the update could leave systems vulnerable to attack, potentially leading to data breaches, system disruption, and other serious consequences. It is also highly recommended to review access controls and monitor system logs for any suspicious activity. This incident serves as a stark reminder of the importance of regular software updates and proactive security practices in maintaining a secure IT environment.

Related Posts: