Server-Side Request Forgery (SSRF) in GLPI - CVE-2022-36112

 

Server-Side Request Forgery (SSRF) in GLPI - CVE-2022-36112

Published: September 14, 2022 / Updated: May 4, 2026


Vulnerability identifier: #VU129527
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2022-36112
CWE-ID: CWE-918
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: glpi-project
Affected software:
GLPI

Detailed vulnerability description

The vulnerability allows a remote user to scan ports or services on the GLPI server or its private network.

The vulnerability exists due to server-side request forgery in RSS feeds and planning when processing RSS feeds or external calendar data. A remote user can supply a crafted feed or calendar source to scan ports or services on the GLPI server or its private network.

Query responses are not exposed to the end user.


How to mitigate CVE-2022-36112

Install security update from vendor's website.

Sources