CVE-2022-36112 LOW

CVE-2022-36112: Blind Server-Side Request Forgery (SSRF) in GLPI

Vendor Glpi-Project

Product glpi

Weakness CWE-918 · SSRF

Published September 14, 2022

Last update April 23, 2025

View on NVD All CVEs

CVSS base score

3.5/10

Attack vector Network

Attack complexity High

Privileges required Low

User interaction None

Confidentiality Low

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N

What the vulnerability does

01Description

GLPI stands for Gestionnaire Libre de Parc Informatique and is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. Usage of RSS feeds or extenal calendar in planning is subject to SSRF exploit. Server-side requests can be used to scan server port or services opened on GLPI server or its private network. Queries responses are not exposed to end-user (blind SSRF). Users are advised to upgrade to version 10.0.3 to resolve this issue. There are no known workarounds.

Key dates

02Disclosure timeline

September 14, 2022 CVE published

April 23, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2022-36112 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/918.html

Related vulnerabilities

CVE-2022-36112: Blind Server-Side Request Forgery (SSRF) in GLPI

01Description

02Disclosure timeline

03References

04Related CVE