{"id":421641,"date":"2022-10-05T11:02:11","date_gmt":"2022-10-05T09:02:11","guid":{"rendered":"https:\/\/glpi-project.org\/?p=421641"},"modified":"2025-06-16T13:19:46","modified_gmt":"2025-06-16T12:19:46","slug":"security-update-10-0-3-and-9-5-9","status":"publish","type":"post","link":"https:\/\/www.glpi-project.org\/fr\/security-update-10-0-3-and-9-5-9\/","title":{"rendered":"Important message about security (CVE-2022-35947, CVE-2022-35914)!"},"content":{"rendered":"<p>We published corrective versions on september 14, 2022:<\/p><ul class=\"wp-block-list\"><li class=\"\"><strong>9.5.9<\/strong>:&nbsp;<a href=\"https:\/\/github.com\/glpi-project\/glpi\/releases\/download\/9.5.9\/glpi-9.5.9.tgz\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/github.com\/glpi-project\/glpi\/releases\/download\/9.5.9\/glpi-9.5.9.tgz<\/a><\/li><li class=\"\"><strong>10.0.3<\/strong>:&nbsp;<a href=\"https:\/\/github.com\/glpi-project\/glpi\/releases\/download\/10.0.3\/glpi-10.0.3.tgz\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/github.com\/glpi-project\/glpi\/releases\/download\/10.0.3\/glpi-10.0.3.tgz<\/a><\/li><\/ul><p>These fix two critical security vulnerabilities: a SQL Injection (CVE-2022-35947), and a Remote Code Execution (CVE-2022-35914, vulnerability in the third-party library, htmlawed), the latter has been massively exploited since October 3, 2022 to execute code on insecure servers, available on the internet, hosting GLPI (<strong>GLPI Network Cloud instances are not impacted<\/strong>).<\/p><p>If you are not on the latest version&nbsp;<strong>9.5.9<\/strong>&nbsp;or&nbsp;<strong>10.0.3<\/strong>, you must&nbsp;<strong>update your instances<\/strong>&nbsp;according to the&nbsp;<a href=\"https:\/\/glpi-install.readthedocs.io\/en\/latest\/update.html\" target=\"_blank\" rel=\"noreferrer noopener\">recommended method<\/a>&nbsp;(from an empty folder, without overwriting existing GLPI files).<\/p><p>We noticed there is a scenario where the corrective versions can also be impacted: when a GLPI update has been performed, by unpacking the archive&nbsp;<strong>over the existing folders and files<\/strong>. We insist this way of updating GLPI is a bad practice and despite the current security problem, exposes you to bugs.<\/p><p>We invite you to correctly re-install your GLPI as indicated in the&nbsp;<a href=\"https:\/\/glpi-install.readthedocs.io\/en\/latest\/update.html\" target=\"_blank\" rel=\"noreferrer noopener\">documentation<\/a>:<\/p><ul class=\"wp-block-list\"><li class=\"\">from an empty folder<\/li><li class=\"\">copy the files from the archive of the latest version<\/li><li class=\"\">get your&nbsp;<code>config\/<\/code>&nbsp;et&nbsp;<code>files\/<\/code>&nbsp;directories from the old instance.<\/li><\/ul><p>Workarounds to deal with RCE urgency (this does not fix SQL injection):<\/p><ul class=\"wp-block-list\"><li class=\"\">delete the&nbsp;<strong><code>vendor\/htmlawed\/htmlawed\/htmLawedTest.php<\/code><\/strong>&nbsp;file (be careful not to touch the&nbsp;<code>htmLawed.php<\/code>&nbsp;file which is legitimate).<\/li><li class=\"\">prevent web access to the&nbsp;<strong><code>vendor\/<\/code><\/strong>&nbsp;folder by setting (in the case of Apache for example) an adequate&nbsp;<code>.htaccess<\/code>.<\/li><\/ul><p>If your server has already been corrupted, you probably need to start from a new server, on which you will import your SQL dump and the folders mentioned above.<\/p>","protected":false},"excerpt":{"rendered":"<p>We published corrective versions on september 14, 2022: 9.5.9:&nbsp;https:\/\/github.com\/glpi-project\/glpi\/releases\/download\/9.5.9\/glpi-9.5.9.tgz 10.0.3:&nbsp;https:\/\/github.com\/glpi-project\/glpi\/releases\/download\/10.0.3\/glpi-10.0.3.tgz These fix two critical security vulnerabilities: a SQL Injection (CVE-2022-35947), and a Remote Code Execution (CVE-2022-35914, vulnerability in the third-party library, htmlawed), the latter has been massively exploited since October 3, 2022 to execute code on insecure servers, available on the internet, hosting GLPI (GLPI [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"inline_featured_image":false,"footnotes":""},"categories":[157],"tags":[],"class_list":["post-421641","post","type-post","status-publish","format-standard","hentry","category-communaute"],"acf":[],"_links":{"self":[{"href":"https:\/\/www.glpi-project.org\/fr\/wp-json\/wp\/v2\/posts\/421641","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.glpi-project.org\/fr\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.glpi-project.org\/fr\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.glpi-project.org\/fr\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.glpi-project.org\/fr\/wp-json\/wp\/v2\/comments?post=421641"}],"version-history":[{"count":1,"href":"https:\/\/www.glpi-project.org\/fr\/wp-json\/wp\/v2\/posts\/421641\/revisions"}],"predecessor-version":[{"id":436367,"href":"https:\/\/www.glpi-project.org\/fr\/wp-json\/wp\/v2\/posts\/421641\/revisions\/436367"}],"wp:attachment":[{"href":"https:\/\/www.glpi-project.org\/fr\/wp-json\/wp\/v2\/media?parent=421641"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.glpi-project.org\/fr\/wp-json\/wp\/v2\/categories?post=421641"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.glpi-project.org\/fr\/wp-json\/wp\/v2\/tags?post=421641"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}