CVE-2022-31062 is a path traversal vulnerability (CWE-22) identified in the glpi-inventory-plugin, a component of the GLPI project, which is an open-source IT asset management and service management software widely used for inventory and helpdesk functions. The vulnerability exists in a public plugin script that improperly limits pathname input, allowing an attacker to traverse directories outside the intended restricted directory. This flaw enables unauthorized reading of arbitrary system files on the server hosting the vulnerable plugin. Specifically, versions of the glpi-inventory-plugin prior to 1.0.2 are affected. The vulnerability arises because the plugin fails to sanitize or validate user-supplied input that specifies file paths, permitting attackers to craft requests that access sensitive files by using relative path sequences (e.g., ../). The impact is primarily information disclosure, as attackers can read contents of system files, potentially exposing sensitive configuration files, credentials, or other critical data. The vulnerability does not require authentication, increasing its risk profile, and no user interaction is needed beyond sending crafted HTTP requests to the affected script. Although no known exploits have been reported in the wild, the vulnerability is publicly disclosed and patched in version 1.0.2. As a workaround, if the deploy feature is not used, deleting the 'b/deploy/index.php' file mitigates the risk by removing the vulnerable entry point. This vulnerability highlights the importance of proper input validation and access control in web applications, especially those managing sensitive IT infrastructure data.

For European organizations, the exploitation of CVE-2022-31062 could lead to unauthorized disclosure of sensitive system files, including configuration files, credentials, or proprietary data stored on servers running the vulnerable glpi-inventory-plugin. This can facilitate further attacks such as privilege escalation, lateral movement, or targeted espionage. Organizations relying on GLPI for IT asset and service management may face operational disruptions if sensitive information is leaked or if attackers leverage disclosed data to compromise other systems. The breach of confidentiality can also lead to regulatory non-compliance under GDPR, resulting in legal and financial penalties. Public sector entities, critical infrastructure operators, and large enterprises using GLPI in Europe are particularly at risk due to the sensitive nature of their managed assets and data. Although the vulnerability does not directly impact system availability or integrity, the potential for information leakage and subsequent exploitation poses a significant security concern.

1. Immediate upgrade of the glpi-inventory-plugin to version 1.0.2 or later to apply the official patch that addresses the path traversal vulnerability. 2. If upgrading is not immediately feasible, delete the 'b/deploy/index.php' file to disable the vulnerable deploy feature, effectively removing the attack vector. 3. Implement strict web application firewall (WAF) rules to detect and block suspicious path traversal patterns in HTTP requests targeting GLPI endpoints. 4. Conduct a thorough audit of server logs to identify any unusual access attempts or exploitation indicators related to path traversal. 5. Restrict file system permissions for the web server user to minimize access to sensitive files, ensuring that even if traversal is attempted, critical files remain inaccessible. 6. Employ network segmentation and access controls to limit exposure of GLPI servers to trusted networks only. 7. Regularly monitor and update all GLPI components and plugins to the latest secure versions to prevent exploitation of known vulnerabilities. 8. Educate IT and security teams on the specific risks associated with GLPI and path traversal vulnerabilities to improve incident response readiness.