CVE-2022-39370: 
GLPI vulnerability analysis and mitigation

GLPI (Gestionnaire Libre de Parc Informatique), a Free Asset and IT Management Software package, was found to contain a vulnerability that could allow connected users to gain unauthorized access to the debug panel through the GLPI update script. The vulnerability was identified as CVE-2022-39370 and was disclosed on November 3, 2022. This security issue affects GLPI versions 0.70 and above, with a fix available in version 10.0.4 (GitHub Advisory).

The vulnerability has been classified with a CVSS v3.1 base score of 4.3 (Moderate severity). The attack vector is Network-based with Low attack complexity, requiring Low privileges and No user interaction. The scope is Unchanged, with Low impact on confidentiality and No impact on integrity or availability. The vulnerability is categorized under CWE-284, which relates to improper access control (GitHub Advisory).

The vulnerability allows connected users to potentially access sensitive debugging information through the GLPI update script, which could lead to unauthorized access to system information. The impact is primarily focused on confidentiality breaches, with no reported effects on system integrity or availability (GitHub Advisory).

Two mitigation options are available: 1) Upgrade to GLPI version 10.0.4 or later, which contains the security fix, or 2) Delete the install/update.php script as a temporary workaround (GitHub Advisory).