CVE-2022-39234 is a vulnerability identified in the GLPI (Gestionnaire Libre de Parc Informatique) software, an open-source IT asset and service management platform widely used for ITIL service desk functionalities, license tracking, and software auditing. The vulnerability is classified under CWE-613, which pertains to insufficient session expiration. Specifically, the issue arises because deleted or deactivated user accounts in GLPI versions prior to 10.0.4 remain active as long as the session cookie associated with those accounts remains valid. This means that even after an account is removed or disabled, an attacker or former user could continue to access the system using a valid session cookie, bypassing intended access controls. The root cause is inadequate session invalidation upon user account deletion or deactivation, which violates secure session management best practices. This flaw can lead to unauthorized access, potentially exposing sensitive IT asset data, service desk tickets, and license information. The vulnerability was publicly disclosed on November 3, 2022, and has been patched in GLPI version 10.0.4. No known exploits have been reported in the wild, and no workarounds exist other than upgrading to the fixed version. The vulnerability affects all GLPI installations running versions earlier than 10.0.4. Given GLPI’s role in managing critical IT infrastructure and service operations, this vulnerability poses a risk of unauthorized data access and potential disruption of IT service management processes if exploited.

For European organizations, the impact of this vulnerability can be significant, especially for those relying on GLPI for IT asset management and service desk operations. Unauthorized access via stale session cookies could allow former employees or malicious actors to access sensitive information such as hardware and software inventories, license details, and internal service tickets. This could lead to data leakage, intellectual property exposure, and potential manipulation or disruption of IT service workflows. Organizations in sectors with strict data protection regulations, such as finance, healthcare, and government, may face compliance risks if unauthorized access results in personal or sensitive data exposure. Additionally, attackers leveraging this vulnerability could gain footholds within IT management systems, facilitating further lateral movement or escalation within the network. Although no active exploitation has been reported, the persistence of valid sessions for deleted users increases the attack surface and risk window. The impact is compounded in large enterprises or public sector entities where GLPI is integrated into critical IT operations, potentially affecting availability and integrity of IT service management.

The primary and most effective mitigation is to upgrade all GLPI installations to version 10.0.4 or later, where the session expiration flaw has been addressed. Organizations should implement strict session management policies, including reducing session lifetimes and enforcing session invalidation upon user deactivation or deletion. Regular audits of active sessions should be conducted to identify and terminate any sessions associated with removed or inactive accounts. Additionally, organizations should enforce multi-factor authentication (MFA) for GLPI access to reduce the risk of session hijacking. Monitoring and logging access to GLPI systems should be enhanced to detect anomalous activities, such as access by deactivated users. Where possible, network segmentation should be applied to limit GLPI access to trusted internal networks or VPNs. Finally, organizations should review and update their user deprovisioning processes to ensure timely session termination and account removal in GLPI and related systems.