CVE-2022-31082 (GCVE-0-2022-31082)

Vulnerability from cvelistv5 – Published: 2022-06-27 20:30 – Updated: 2025-04-23 18:07
VLAI?
Title
SQL Injection via package deployment tasks in glpi-inventory-plugin
Summary
GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. glpi-inventory-plugin is a plugin for GLPI to handle inventory management. In affected versions a SQL injection can be made using package deployment tasks. This issue has been resolved in version 1.0.2. Users are advised to upgrade. Users unable to upgrade should delete the `front/deploypackage.public.php` file if they are not using the `deploy tasks` feature.
Severity ?
5.8 (Medium)
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N
CWE
  • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
Impacted products
Vendor Product Version
glpi-project glpi-inventory-plugin Affected: < 1.0.2
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T07:11:38.480Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/glpi-project/glpi-inventory-plugin/security/advisories/GHSA-q6m7-h6rj-5wmw"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/glpi-project/glpi-inventory-plugin/commit/0b805ca6fb2a0f9bde4af29fca4f703fdfbd8f66"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2022-31082",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-23T14:04:29.911570Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-04-23T18:07:31.644Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "glpi-inventory-plugin",
          "vendor": "glpi-project",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.0.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. glpi-inventory-plugin is a plugin for GLPI to handle inventory management. In affected versions a SQL injection can be made using package deployment tasks. This issue has been resolved in version 1.0.2. Users are advised to upgrade. Users unable to upgrade should delete the `front/deploypackage.public.php` file if they are not using the `deploy tasks` feature."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.8,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "HIGH",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-89",
              "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-06-27T20:30:22.000Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/glpi-project/glpi-inventory-plugin/security/advisories/GHSA-q6m7-h6rj-5wmw"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/glpi-project/glpi-inventory-plugin/commit/0b805ca6fb2a0f9bde4af29fca4f703fdfbd8f66"
        }
      ],
      "source": {
        "advisory": "GHSA-q6m7-h6rj-5wmw",
        "discovery": "UNKNOWN"
      },
      "title": "SQL Injection via package deployment tasks in glpi-inventory-plugin",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2022-31082",
          "STATE": "PUBLIC",
          "TITLE": "SQL Injection via package deployment tasks in glpi-inventory-plugin"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "glpi-inventory-plugin",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "\u003c 1.0.2"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "glpi-project"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. glpi-inventory-plugin is a plugin for GLPI to handle inventory management. In affected versions a SQL injection can be made using package deployment tasks. This issue has been resolved in version 1.0.2. Users are advised to upgrade. Users unable to upgrade should delete the `front/deploypackage.public.php` file if they are not using the `deploy tasks` feature."
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.8,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "HIGH",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/glpi-project/glpi-inventory-plugin/security/advisories/GHSA-q6m7-h6rj-5wmw",
              "refsource": "CONFIRM",
              "url": "https://github.com/glpi-project/glpi-inventory-plugin/security/advisories/GHSA-q6m7-h6rj-5wmw"
            },
            {
              "name": "https://github.com/glpi-project/glpi-inventory-plugin/commit/0b805ca6fb2a0f9bde4af29fca4f703fdfbd8f66",
              "refsource": "MISC",
              "url": "https://github.com/glpi-project/glpi-inventory-plugin/commit/0b805ca6fb2a0f9bde4af29fca4f703fdfbd8f66"
            }
          ]
        },
        "source": {
          "advisory": "GHSA-q6m7-h6rj-5wmw",
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2022-31082",
    "datePublished": "2022-06-27T20:30:22.000Z",
    "dateReserved": "2022-05-18T00:00:00.000Z",
    "dateUpdated": "2025-04-23T18:07:31.644Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:glpi-project:glpi_inventory:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"1.0.2\", \"matchCriteriaId\": \"4FBD0AAF-24B8-4D1A-A7B6-7FA8BA4E1F64\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. glpi-inventory-plugin is a plugin for GLPI to handle inventory management. In affected versions a SQL injection can be made using package deployment tasks. This issue has been resolved in version 1.0.2. Users are advised to upgrade. Users unable to upgrade should delete the `front/deploypackage.public.php` file if they are not using the `deploy tasks` feature.\"}, {\"lang\": \"es\", \"value\": \"GLPI es un paquete de software gratuito de administraci\\u00f3n de activos y TI, administraci\\u00f3n de centros de datos, ITIL Service Desk, seguimiento de licencias y auditor\\u00eda de software. glpi-inventory-plugin es un plugin para GLPI que permite administrar el inventario. En versiones afectadas puede realizarse una inyecci\\u00f3n SQL usando las tareas de despliegue de paquetes. Este problema ha sido resuelto en versi\\u00f3n 1.0.2. Es recomendado a usuarios actualizar. Los usuarios que no puedan actualizar deber\\u00e1n eliminar el archivo \\\"front/deploypackage.public.php\\\" si no usan la funci\\u00f3n \\\"deploy tasks\\\"\"}]",
      "id": "CVE-2022-31082",
      "lastModified": "2024-11-21T07:03:51.483",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N\", \"baseScore\": 5.8, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"HIGH\", \"privilegesRequired\": \"HIGH\", \"userInteraction\": \"NONE\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 1.3, \"impactScore\": 4.0}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 9.8, \"baseSeverity\": \"CRITICAL\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 5.9}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:L/Au:N/C:P/I:P/A:P\", \"baseScore\": 7.5, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"LOW\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"PARTIAL\"}, \"baseSeverity\": \"HIGH\", \"exploitabilityScore\": 10.0, \"impactScore\": 6.4, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
      "published": "2022-06-27T21:15:08.097",
      "references": "[{\"url\": \"https://github.com/glpi-project/glpi-inventory-plugin/commit/0b805ca6fb2a0f9bde4af29fca4f703fdfbd8f66\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/glpi-project/glpi-inventory-plugin/security/advisories/GHSA-q6m7-h6rj-5wmw\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Mitigation\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/glpi-project/glpi-inventory-plugin/commit/0b805ca6fb2a0f9bde4af29fca4f703fdfbd8f66\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/glpi-project/glpi-inventory-plugin/security/advisories/GHSA-q6m7-h6rj-5wmw\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Mitigation\", \"Third Party Advisory\"]}]",
      "sourceIdentifier": "security-advisories@github.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-89\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-89\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2022-31082\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2022-06-27T21:15:08.097\",\"lastModified\":\"2024-11-21T07:03:51.483\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. glpi-inventory-plugin is a plugin for GLPI to handle inventory management. In affected versions a SQL injection can be made using package deployment tasks. This issue has been resolved in version 1.0.2. Users are advised to upgrade. Users unable to upgrade should delete the `front/deploypackage.public.php` file if they are not using the `deploy tasks` feature.\"},{\"lang\":\"es\",\"value\":\"GLPI es un paquete de software gratuito de administraci\u00f3n de activos y TI, administraci\u00f3n de centros de datos, ITIL Service Desk, seguimiento de licencias y auditor\u00eda de software. glpi-inventory-plugin es un plugin para GLPI que permite administrar el inventario. En versiones afectadas puede realizarse una inyecci\u00f3n SQL usando las tareas de despliegue de paquetes. Este problema ha sido resuelto en versi\u00f3n 1.0.2. Es recomendado a usuarios actualizar. Los usuarios que no puedan actualizar deber\u00e1n eliminar el archivo \\\"front/deploypackage.public.php\\\" si no usan la funci\u00f3n \\\"deploy tasks\\\"\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N\",\"baseScore\":5.8,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.3,\"impactScore\":4.0},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:P/I:P/A:P\",\"baseScore\":7.5,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"HIGH\",\"exploitabilityScore\":10.0,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-89\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-89\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:glpi-project:glpi_inventory:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"1.0.2\",\"matchCriteriaId\":\"4FBD0AAF-24B8-4D1A-A7B6-7FA8BA4E1F64\"}]}]}],\"references\":[{\"url\":\"https://github.com/glpi-project/glpi-inventory-plugin/commit/0b805ca6fb2a0f9bde4af29fca4f703fdfbd8f66\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/glpi-project/glpi-inventory-plugin/security/advisories/GHSA-q6m7-h6rj-5wmw\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Mitigation\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/glpi-project/glpi-inventory-plugin/commit/0b805ca6fb2a0f9bde4af29fca4f703fdfbd8f66\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/glpi-project/glpi-inventory-plugin/security/advisories/GHSA-q6m7-h6rj-5wmw\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mitigation\",\"Third Party Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://github.com/glpi-project/glpi-inventory-plugin/security/advisories/GHSA-q6m7-h6rj-5wmw\", \"tags\": [\"x_refsource_CONFIRM\", \"x_transferred\"]}, {\"url\": \"https://github.com/glpi-project/glpi-inventory-plugin/commit/0b805ca6fb2a0f9bde4af29fca4f703fdfbd8f66\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-03T07:11:38.480Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2022-31082\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-04-23T14:04:29.911570Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-04-23T14:04:31.279Z\"}}], \"cna\": {\"title\": \"SQL Injection via package deployment tasks in glpi-inventory-plugin\", \"source\": {\"advisory\": \"GHSA-q6m7-h6rj-5wmw\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 5.8, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"HIGH\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"glpi-project\", \"product\": \"glpi-inventory-plugin\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 1.0.2\"}]}], \"references\": [{\"url\": \"https://github.com/glpi-project/glpi-inventory-plugin/security/advisories/GHSA-q6m7-h6rj-5wmw\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/glpi-project/glpi-inventory-plugin/commit/0b805ca6fb2a0f9bde4af29fca4f703fdfbd8f66\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. glpi-inventory-plugin is a plugin for GLPI to handle inventory management. In affected versions a SQL injection can be made using package deployment tasks. This issue has been resolved in version 1.0.2. Users are advised to upgrade. Users unable to upgrade should delete the `front/deploypackage.public.php` file if they are not using the `deploy tasks` feature.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-89\", \"description\": \"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2022-06-27T20:30:22.000Z\"}, \"x_legacyV4Record\": {\"impact\": {\"cvss\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 5.8, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"HIGH\", \"confidentialityImpact\": \"HIGH\"}}, \"source\": {\"advisory\": \"GHSA-q6m7-h6rj-5wmw\", \"discovery\": \"UNKNOWN\"}, \"affects\": {\"vendor\": {\"vendor_data\": [{\"product\": {\"product_data\": [{\"version\": {\"version_data\": [{\"version_value\": \"\u003c 1.0.2\"}]}, \"product_name\": \"glpi-inventory-plugin\"}]}, \"vendor_name\": \"glpi-project\"}]}}, \"data_type\": \"CVE\", \"references\": {\"reference_data\": [{\"url\": \"https://github.com/glpi-project/glpi-inventory-plugin/security/advisories/GHSA-q6m7-h6rj-5wmw\", \"name\": \"https://github.com/glpi-project/glpi-inventory-plugin/security/advisories/GHSA-q6m7-h6rj-5wmw\", \"refsource\": \"CONFIRM\"}, {\"url\": \"https://github.com/glpi-project/glpi-inventory-plugin/commit/0b805ca6fb2a0f9bde4af29fca4f703fdfbd8f66\", \"name\": \"https://github.com/glpi-project/glpi-inventory-plugin/commit/0b805ca6fb2a0f9bde4af29fca4f703fdfbd8f66\", \"refsource\": \"MISC\"}]}, \"data_format\": \"MITRE\", \"description\": {\"description_data\": [{\"lang\": \"eng\", \"value\": \"GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. glpi-inventory-plugin is a plugin for GLPI to handle inventory management. In affected versions a SQL injection can be made using package deployment tasks. This issue has been resolved in version 1.0.2. Users are advised to upgrade. Users unable to upgrade should delete the `front/deploypackage.public.php` file if they are not using the `deploy tasks` feature.\"}]}, \"problemtype\": {\"problemtype_data\": [{\"description\": [{\"lang\": \"eng\", \"value\": \"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)\"}]}]}, \"data_version\": \"4.0\", \"CVE_data_meta\": {\"ID\": \"CVE-2022-31082\", \"STATE\": \"PUBLIC\", \"TITLE\": \"SQL Injection via package deployment tasks in glpi-inventory-plugin\", \"ASSIGNER\": \"security-advisories@github.com\"}}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2022-31082\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-04-23T18:07:31.644Z\", \"dateReserved\": \"2022-05-18T00:00:00.000Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2022-06-27T20:30:22.000Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.