CVE-2023-51446: 
GLPI vulnerability analysis and mitigation

GLPI, a Free Asset and IT Management Software package, was found to be vulnerable to LDAP injection (CVE-2023-51446). When authentication is made against an LDAP server, the authentication form could be exploited to perform LDAP injection attacks. This vulnerability affects all GLPI versions prior to 10.0.12, which was released on February 1, 2024 (GLPI Release, NVD).

The vulnerability has been assigned a CVSS v3.1 base score of 8.1 (High) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H. The issue stems from improper neutralization of special elements used in LDAP queries (CWE-90) and improper neutralization of special elements in output used by a downstream component (CWE-74). The vulnerability was addressed by implementing proper LDAP escaping of user login during LDAP operations (GitHub Commit).

The vulnerability could allow attackers to perform LDAP injection attacks through the authentication form when LDAP authentication is enabled. This could potentially lead to unauthorized access to sensitive information stored in the LDAP directory (GLPI Advisory).

The recommended mitigation is to upgrade to GLPI version 10.0.12 or later, which contains the security fix for this vulnerability. The fix includes proper escaping of user login during LDAP operations (GLPI Release).