CVE-2024-56801 Overview
CVE-2024-56801 is a blind SQL injection vulnerability in the Tasklists plugin for GLPI (Gestionnaire Libre de Parc Informatique), developed by Infotel. The flaw affects all versions of the plugin prior to 2.0.4. Unauthenticated attackers can inject malicious SQL statements over the network without user interaction. Because the injection is blind, attackers infer data through response timing or conditional behavior rather than direct output. The maintainer released version 2.0.4 to remediate the issue, classified under CWE-89: Improper Neutralization of Special Elements used in an SQL Command.
Critical Impact
Network-accessible blind SQL injection allows unauthenticated attackers to read sensitive data from GLPI databases hosting the Tasklists plugin, with an EPSS score of 8.388% (92nd percentile).
Affected Products
- Infotel Tasklists plugin for GLPI, all versions prior to 2.0.4
- GLPI instances with the Tasklists plugin installed and exposed to network access
- Deployments referenced by CPE cpe:2.3:a:infotel:tasklists:*:*:*:*:*:glpi:*:*
Discovery Timeline
- 2024-12-30 - CVE-2024-56801 published to NVD
- 2025-02-07 - Last updated in NVD database
Technical Details for CVE-2024-56801
Vulnerability Analysis
The Tasklists plugin extends GLPI with task list management features. Prior to version 2.0.4, the plugin constructs SQL queries by concatenating user-controlled input without proper parameterization or sanitization. This implementation allows attackers to alter the structure of database queries by injecting crafted payloads into vulnerable request parameters.
The vulnerability is blind, meaning the application does not return query results or verbose database errors directly to the attacker. Attackers extract information through inferential techniques such as boolean-based or time-based payloads. Conditional SLEEP() statements or CASE WHEN constructs reveal database contents one bit at a time based on observable response differences.
Because GLPI deployments commonly store asset inventories, ticket records, user credentials, and IT operations data, successful exploitation exposes operationally sensitive information. The fix in version 2.0.4 is published as commit 6444026e3d2b8fb22d5e5ab03fb86056e1ac9e43.
Root Cause
The root cause is improper neutralization of special characters in SQL statements [CWE-89]. The plugin places untrusted input directly into query strings rather than using prepared statements or the GLPI database abstraction layer's parameter binding functions.
Attack Vector
An attacker sends crafted HTTP requests to a vulnerable Tasklists plugin endpoint on a GLPI instance. The CVSS 4.0 vector indicates network attack vector with no privileges and no user interaction required. Exploitation requires the plugin to be installed and reachable, but the attacker does not need a GLPI account.
The vulnerability mechanism is described in prose because no verified proof-of-concept code is publicly available. Refer to the GitHub Security Advisory GHSA-c6fw-xw9x-gwjw and the upstream patch commit for technical details on the affected code paths.
Detection Methods for CVE-2024-56801
Indicators of Compromise
- HTTP requests to Tasklists plugin endpoints containing SQL keywords such as UNION, SELECT, SLEEP, BENCHMARK, or CASE WHEN in parameter values
- Unusually long response times from GLPI requests targeting Tasklists URLs, indicative of time-based blind injection
- Repeated requests to the same Tasklists endpoint with incrementally modified parameters from a single source
- Database logs showing malformed queries originating from the Tasklists plugin
Detection Strategies
- Inspect web server access logs for Tasklists plugin URLs containing encoded SQL syntax such as %27, %20OR%20, or ;--
- Deploy web application firewall (WAF) rules tuned for SQL injection patterns on GLPI request paths
- Enable MySQL/MariaDB general query logging during investigation to correlate suspicious queries with plugin requests
Monitoring Recommendations
- Alert on response-time anomalies for Tasklists endpoints exceeding baseline thresholds
- Track outbound connections and process activity originating from the PHP worker serving GLPI for signs of post-exploitation behavior
- Forward GLPI application logs and webserver logs into a centralized analytics platform for correlation across hosts
How to Mitigate CVE-2024-56801
Immediate Actions Required
- Upgrade the Tasklists plugin to version 2.0.4 or later on all GLPI instances
- Restrict network access to GLPI administrative interfaces using firewalls, VPNs, or IP allowlists until patching is complete
- Review GLPI and database logs for evidence of prior exploitation attempts against Tasklists endpoints
Patch Information
Infotel released the fix in Tasklists version 2.0.4, published as commit 6444026e3d2b8fb22d5e5ab03fb86056e1ac9e43. Administrators should download the patched release from the InfotelGLPI/tasklists GitHub repository and follow the standard GLPI plugin update procedure. The corresponding GHSA-c6fw-xw9x-gwjw advisory provides additional remediation guidance.
Workarounds
- Disable the Tasklists plugin in the GLPI configuration until the patched version is applied
- Deploy WAF signatures that block SQL injection payloads targeting GLPI plugin URLs
- Apply database account least privilege so the GLPI service user cannot read tables outside its operational scope
# Example: disable the Tasklists plugin via GLPI CLI until upgrade is complete
php bin/console glpi:plugin:deactivate tasklists
# Then upgrade to 2.0.4
cd plugins/tasklists
git fetch --tags
git checkout 2.0.4
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
