CVE-2022-21720 is a medium-severity SQL injection vulnerability affecting GLPI, a free and open-source asset and IT management software widely used for IT service management. The vulnerability exists in versions prior to 9.5.7 and allows an entity administrator—who normally has restricted privileges limited to their own entity—to retrieve data that should be inaccessible. This is achieved through improper sanitization of input parameters in SQL queries, enabling the attacker to manipulate the query logic and extract sensitive information from the database. The vulnerability is classified under CWE-89 (Improper Neutralization of Special Elements used in an SQL Command), indicating a classic SQL injection flaw. Exploitation does not require user interaction but does require the attacker to have entity administrator privileges, which limits the attack surface to insiders or compromised accounts with elevated rights. The vulnerability does not impact data integrity or availability but compromises confidentiality by exposing sensitive data. The issue was patched in GLPI version 9.5.7, and as a temporary workaround, disabling the 'Entities' update right for entity administrators prevents exploitation. No known exploits are reported in the wild, but the presence of this vulnerability in a widely deployed IT management tool poses a risk if not remediated promptly.

For European organizations, the impact of CVE-2022-21720 can be significant, especially for those relying on GLPI for IT asset and service management. The ability for an entity administrator to access unauthorized data could lead to exposure of sensitive organizational information, including asset inventories, user data, or configuration details. This could facilitate further attacks such as privilege escalation, targeted phishing, or lateral movement within the network. Confidentiality breaches may also have regulatory implications under GDPR, potentially resulting in legal and financial penalties. Since GLPI is often used in public sector, education, and enterprise environments across Europe, the vulnerability could affect critical infrastructure management and IT operations. However, the requirement for elevated privileges reduces the risk from external attackers but increases the threat from insider misuse or compromised accounts. The lack of impact on integrity and availability means the vulnerability is less likely to cause operational disruption but remains a serious data confidentiality concern.

European organizations using GLPI should immediately upgrade to version 9.5.7 or later to apply the official patch addressing CVE-2022-21720. Until the upgrade can be performed, administrators should disable the 'Entities' update right for entity administrators to prevent exploitation. Additionally, organizations should audit entity administrator accounts for suspicious activity and enforce strong authentication mechanisms, such as multi-factor authentication, to reduce the risk of account compromise. Regularly reviewing and minimizing privileges assigned to entity administrators can limit the potential attack surface. Network segmentation and monitoring of database queries related to GLPI can help detect anomalous access patterns indicative of exploitation attempts. Finally, organizations should ensure that backups and incident response plans are in place to respond to any potential data breaches resulting from this vulnerability.