CVE-2022-24867 is a vulnerability identified in versions of the GLPI software prior to 10.0.0. GLPI is an open-source IT asset and service management tool widely used for ITIL service desk operations, license tracking, and software auditing. The vulnerability arises from improper handling of sensitive configuration data passed to client-side JavaScript. Specifically, while most configuration entries are filtered before being exposed to the browser, the variable 'ldap_pass'—which contains the password for the LDAP root distinguished name (DN)—is not filtered. Consequently, when a user views the source code of the rendered web page, this sensitive LDAP root password is exposed in clear text. This exposure constitutes a CWE-200 weakness, which is the exposure of sensitive information to unauthorized actors. The vulnerability does not require authentication or user interaction to be exploited if an attacker can access the affected page, as the password is embedded in the client-side code. There is no known workaround other than upgrading to a patched version (10.0.0 or later). No public exploits have been reported in the wild as of the publication date, but the presence of sensitive credentials in client-side code represents a significant security risk, potentially enabling unauthorized access to LDAP directories and subsequent lateral movement or privilege escalation within affected environments.

For European organizations using GLPI versions prior to 10.0.0, this vulnerability poses a significant risk to confidentiality and integrity of IT infrastructure. Exposure of the LDAP root DN password can allow attackers to gain unauthorized access to the organization's directory services, which often serve as the backbone for authentication and authorization across multiple systems. This can lead to unauthorized data access, modification, or deletion, and potentially full compromise of IT management systems. Given that GLPI is used in various sectors including government, education, and enterprises, the impact could extend to critical infrastructure and sensitive data. The vulnerability could also undermine trust in IT service management processes and compliance with data protection regulations such as GDPR, especially if the breach leads to exposure of personal or sensitive data. The lack of known exploits in the wild reduces immediate risk but does not eliminate the threat, as the vulnerability is straightforward to identify by viewing page source and can be exploited by any attacker with access to the GLPI interface or its publicly accessible pages if misconfigured.

The primary mitigation is to upgrade GLPI installations to version 10.0.0 or later, where this vulnerability has been addressed by properly filtering sensitive configuration variables before rendering them in client-side code. Until an upgrade can be performed, organizations should restrict access to GLPI interfaces to trusted and authenticated users only, ideally through network segmentation, VPNs, or IP whitelisting to minimize exposure. Additionally, review and harden LDAP access controls to limit the impact of any credential exposure. Monitoring and logging access to GLPI and LDAP services should be enhanced to detect any anomalous activity indicative of exploitation attempts. Organizations should also audit their GLPI configurations and source code to verify no other sensitive information is inadvertently exposed. Finally, consider rotating LDAP root DN passwords after patching to invalidate any potentially compromised credentials.