CVE-2022-36112 is a Server-Side Request Forgery (SSRF) vulnerability identified in versions of the GLPI software prior to 10.0.3. GLPI (Gestionnaire Libre de Parc Informatique) is an open-source IT asset and service management software widely used for ITIL service desk operations, license tracking, and software auditing. The vulnerability arises from the handling of external resources such as RSS feeds or external calendars within the planning module. An attacker can exploit this SSRF flaw by manipulating server-side requests to make the GLPI server initiate HTTP requests to arbitrary internal or external resources. Although the responses to these requests are not directly exposed to the attacker (blind SSRF), the attacker can leverage this to scan internal network ports or services accessible from the GLPI server, potentially mapping internal infrastructure or identifying vulnerable services behind firewalls. This can lead to further exploitation or lateral movement within the network. The vulnerability does not require user interaction beyond having access to the affected GLPI instance, and no authentication requirements are explicitly stated, though exploitation feasibility depends on attacker access to the GLPI interface. The vendor has addressed the issue in version 10.0.3, and no known workarounds exist. There are no known exploits in the wild at this time, but the risk remains due to the nature of SSRF vulnerabilities and the critical role GLPI plays in IT management environments.

For European organizations, the impact of this SSRF vulnerability can be significant, especially for entities relying on GLPI for IT asset management and service desk operations. Exploitation could allow attackers to perform internal reconnaissance, identifying open ports and services within the organization's private network that are otherwise inaccessible externally. This can facilitate subsequent attacks such as privilege escalation, data exfiltration, or deployment of malware. Given that GLPI often manages sensitive IT infrastructure information, unauthorized access or disruption could compromise confidentiality and integrity of IT asset data. Additionally, if attackers leverage SSRF to access internal services, availability of critical IT management functions could be disrupted. The blind nature of the SSRF limits direct data leakage but does not mitigate the risk of internal network mapping and follow-on attacks. Organizations in sectors with stringent data protection requirements, such as finance, healthcare, and government, could face regulatory and reputational consequences if this vulnerability is exploited.

The primary mitigation is to upgrade GLPI installations to version 10.0.3 or later, where the SSRF vulnerability has been patched. Organizations should prioritize this update in their patch management cycles. Beyond upgrading, administrators should implement network segmentation to limit the GLPI server's ability to reach sensitive internal services unnecessarily. Employing strict egress filtering and firewall rules to restrict outbound requests from the GLPI server can reduce SSRF exploitation impact. Additionally, monitoring and logging outbound requests from the GLPI server can help detect anomalous activity indicative of SSRF attempts. If upgrading immediately is not feasible, disabling or restricting the use of external RSS feeds and calendar integrations in GLPI can reduce attack surface. Finally, applying the principle of least privilege to the GLPI service account and ensuring that the server runs with minimal network permissions can further mitigate risk.