GLPI - CVE-2022-35947 - CVE-2022-35914

2 critical flaws, including one massively exploited!

On September 14, 2022, the publisher Teclib posted two new versions of GLPI to correct two critical vulnerabilities, one of which has been massively exploited in attacks since October 3, 2022. Let’s take stock.

Since September 14, 2022, GLPI 9.5.9 et GLPI 10.0.3 are available for download and this is an update to install urgently on your GLPI server, especially if it is available on the Internet, because these versions correct 2 critical flaws.

  • CVE-2022-35947 : “SQL injection” vulnerability – Score CVSSv3 9.8 out of 10
  • CVE-2022-35914 : “remote code execution” vulnerability – Score CVSSv3 9.8 out of 10

According to Teclib, the vulnerability CVE-2022-35914present in the third-party “htmlawed” library, is massively exploited in the context of cyberattacks since October 3, 2022, including in France where GLPI is widely used! This library is used to secure the input fields (“input text“). The editor recommends installing the update as soon as possible, depending on your current major version GLPI 9.5 or GLPI 10.

Caution, to perform the update, it is necessary to start from an empty folder and not to overwrite the existing files of GLPI. Otherwise, the new version supposed to correct security vulnerabilities will remain vulnerable! Personally, I always start from an empty folder to update GLPI in order to have only the files of the current version and not to keep old files in the directories of GLPI. Then you have to think about recover its configuration, as well as its files (“files/” directories) and possibly plugins if you have any.

In the security bulletin, Teclib states: “If your server has already been corrupted, you probably need to start from a new server, on which you will import an SQL dump and the files mentioned above.Finally, Teclib specifies that GLPI Network Cloud instances (GLPI in SaaS mode) are not impacted by these security risks.

The releases are available on GitHub: GLPI.

Source: Teclib security bulletin

Logiciel – OS,Sécurité,GLPI,

#critical #flaws #including #massively #exploited

Leave a Comment

Your email address will not be published. Required fields are marked *