Main Vulnerability Database Vulnerabilities #VU129527

Server-Side Request Forgery (SSRF) in GLPI - CVE-2022-36112

Published: September 14, 2022 / Updated: May 4, 2026

Vulnerability identifier: #VU129527

CSH Severity: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2022-36112

CWE-ID: CWE-918

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
GLPI

Software vendor:
glpi-project

Description

The vulnerability allows a remote user to scan ports or services on the GLPI server or its private network.

The vulnerability exists due to server-side request forgery in RSS feeds and planning when processing RSS feeds or external calendar data. A remote user can supply a crafted feed or calendar source to scan ports or services on the GLPI server or its private network.

Query responses are not exposed to the end user.

Remediation

Install security update from vendor's website.

External links

https://github.com/glpi-project/glpi/security/advisories/GHSA-rqgx-gqhp-x8vv

Server-Side Request Forgery (SSRF) in GLPI - CVE-2022-36112

Description

Remediation

External links

Please verify you're human