CVE-2022-39276 is a Server-Side Request Forgery (SSRF) vulnerability identified in the GLPI (Gestionnaire Libre de Parc Informatique) software, an open-source IT asset and service management platform widely used for ITIL service desk functions, license tracking, and software auditing. The vulnerability affects GLPI versions prior to 10.0.4 and specifically arises when the software processes RSS feeds or external calendar data within its planning module. The root cause is that when a remote script returns an HTTP redirect response, the target URL of this redirect is not validated against the administrator-defined URL allow list. This allows an attacker to craft malicious URLs that cause the GLPI server to make unintended HTTP requests to arbitrary internal or external resources. SSRF vulnerabilities like this can be exploited to bypass network access controls, access internal services, or perform reconnaissance on internal infrastructure. The vulnerability has been patched in GLPI version 10.0.4, and no known workarounds exist. There are currently no reports of active exploitation in the wild. The issue is classified under CWE-918, which covers SSRF weaknesses where server-side applications are tricked into making requests to unintended locations. The lack of URL validation on redirects is a critical implementation flaw that enables this attack vector. Since GLPI is often deployed in enterprise environments managing sensitive IT assets and services, this SSRF can potentially be leveraged to access internal APIs, metadata services, or other protected resources behind firewalls, depending on the deployment context and network segmentation.

For European organizations, the impact of this SSRF vulnerability can be significant depending on the deployment scale and network architecture of GLPI instances. Exploitation could allow attackers to access internal services that are otherwise inaccessible externally, potentially leading to information disclosure, unauthorized internal network reconnaissance, or pivoting to further attacks. This is particularly concerning for organizations with sensitive internal infrastructure, such as government agencies, critical infrastructure operators, and large enterprises using GLPI for IT asset management. The vulnerability could also be used to exfiltrate sensitive configuration or credential data if internal endpoints are exposed. While the vulnerability itself does not directly allow remote code execution, the SSRF can be a stepping stone in multi-stage attacks. The absence of known exploits in the wild suggests limited immediate risk, but the medium severity rating indicates a moderate threat level that should not be ignored. The impact on confidentiality is moderate to high depending on internal resource exposure, integrity impact is low, and availability impact is minimal. Given GLPI’s role in IT management, disruption or compromise could indirectly affect IT service continuity.

1. Immediate upgrade of all GLPI instances to version 10.0.4 or later, where the SSRF vulnerability has been patched, is the primary and most effective mitigation. 2. Review and tighten the URL allow list configurations to ensure only trusted domains are permitted for RSS feeds and external calendar sources. 3. Implement network segmentation and firewall rules to restrict GLPI server outbound HTTP requests to only necessary external endpoints, minimizing the risk of SSRF exploitation reaching internal services. 4. Monitor GLPI logs for unusual outbound requests or redirect responses that could indicate attempted exploitation. 5. Conduct internal security assessments to identify any sensitive internal services that could be exposed via SSRF and apply additional access controls or authentication where possible. 6. Educate administrators on the risks of SSRF and the importance of applying patches promptly. 7. If upgrading immediately is not feasible, consider disabling RSS feed and external calendar features temporarily to reduce attack surface, though this is a partial mitigation. 8. Employ web application firewalls (WAFs) with custom rules to detect and block suspicious SSRF patterns targeting GLPI endpoints.