CVE-2022-31082 is a medium-severity SQL Injection vulnerability affecting the glpi-inventory-plugin, a component of the GLPI project, which is an open-source IT asset and service management software widely used for data center management, ITIL service desks, license tracking, and software auditing. The vulnerability exists in versions of the glpi-inventory-plugin prior to 1.0.2 and arises from improper neutralization of special elements in SQL commands (CWE-89). Specifically, the flaw is exploitable via the package deployment tasks feature, where user-supplied input is not adequately sanitized before being incorporated into SQL queries. This allows an attacker to inject malicious SQL code, potentially leading to unauthorized data access, data modification, or disruption of database integrity. The vulnerability can be exploited without authentication if the vulnerable endpoint (front/deploypackage.public.php) is accessible and the deploy tasks feature is enabled. The issue was resolved in version 1.0.2 of the plugin. For users unable to upgrade, a recommended mitigation is to delete the front/deploypackage.public.php file if the deploy tasks feature is not in use, effectively removing the attack surface. There are no known exploits in the wild reported to date, but the presence of a publicly accessible endpoint and the nature of SQL injection vulnerabilities make this a significant risk if left unpatched.

For European organizations, the impact of this vulnerability can be considerable, especially for entities relying on GLPI and its inventory plugin for critical IT asset management and service desk operations. Successful exploitation could lead to unauthorized disclosure of sensitive asset and configuration data, manipulation or deletion of inventory records, and potential disruption of IT service management workflows. This could impair operational efficiency, lead to compliance violations (especially under GDPR if personal or sensitive data is involved), and increase the risk of further compromise if attackers leverage the vulnerability to pivot within the network. Organizations in sectors such as government, finance, healthcare, and critical infrastructure, which often use GLPI for asset and service management, may face heightened risks. Additionally, the vulnerability could be exploited to gain footholds in networks, facilitating broader attacks or data exfiltration.

1. Immediate upgrade of the glpi-inventory-plugin to version 1.0.2 or later is the most effective mitigation to fully remediate the vulnerability. 2. For organizations unable to upgrade promptly, remove or restrict access to the front/deploypackage.public.php file, especially if the deploy tasks feature is not utilized, to eliminate the vulnerable attack vector. 3. Implement strict network-level access controls to limit exposure of GLPI web interfaces to trusted internal networks only, reducing the risk of external exploitation. 4. Conduct thorough input validation and sanitization on all user inputs related to package deployment tasks, if custom modifications exist. 5. Monitor logs for unusual SQL errors or suspicious activity around the deploypackage endpoint. 6. Employ Web Application Firewalls (WAFs) with rules targeting SQL injection patterns to provide an additional layer of defense. 7. Regularly audit and review GLPI and plugin versions across the organization to ensure timely patching of known vulnerabilities.