CVE-2023-46726: 
GLPI vulnerability analysis and mitigation

GLPI, a free asset and IT management software package, was found to contain a remote code execution vulnerability (CVE-2023-46726) affecting versions 10.0.0 through 10.0.11. The vulnerability specifically impacts installations running on PHP 7.4, where the LDAP server configuration form could be exploited to execute arbitrary code previously uploaded as a GLPI document. The issue was discovered by Nikita Petrov from Positive Technologies and was patched in version 10.0.11 released on December 13, 2023 (GLPI Release, GHSA Advisory).

The vulnerability received a CVSS v3.1 base score of 7.2 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H. This indicates that the vulnerability can be exploited remotely (Network), requires low attack complexity, but needs high privileges to execute. No user interaction is required for exploitation, and the scope is unchanged. The potential impact on confidentiality, integrity, and availability is high (GHSA Advisory).

If successfully exploited, the vulnerability allows an attacker to execute arbitrary code on the affected system through the LDAP server configuration form, potentially leading to complete system compromise. The vulnerability affects all aspects of the CIA triad (Confidentiality, Integrity, and Availability) with high severity ratings (GHSA Advisory).

Two primary mitigation options are available: upgrading to GLPI version 10.0.11 which contains the security patch, or upgrading the PHP version to 8.x as the vulnerability only affects PHP 7.4. The developers strongly recommend upgrading PHP to at least version 8.2, noting that PHP 7.4 is outdated and no longer supported (GLPI Release).

The GLPI project team classified this as a high-severity security issue and strongly recommended users to upgrade. The release announcement emphasized the outdated status of PHP 7.4 and urged users to upgrade to more recent PHP versions (GLPI Release).