CVE-2024-56801 Overview
CVE-2024-56801 is a blind SQL injection vulnerability affecting the Tasklists plugin for GLPI, developed by Infotel. This vulnerability exists in versions prior to 2.0.4 and allows attackers to execute arbitrary SQL queries against the underlying database through specially crafted input. Blind SQL injection attacks are particularly dangerous as they can be used to extract sensitive information from the database without producing visible error messages, making detection more challenging.
Critical Impact
Attackers can exploit this blind SQL injection vulnerability to extract sensitive data from the GLPI database, potentially compromising user credentials, ticket information, and other confidential organizational data managed within the IT service management platform.
Affected Products
- Infotel Tasklists plugin for GLPI versions prior to 2.0.4
Discovery Timeline
- 2024-12-30 - CVE-2024-56801 published to NVD
- 2025-02-07 - Last updated in NVD database
Technical Details for CVE-2024-56801
Vulnerability Analysis
This blind SQL injection vulnerability (CWE-89: Improper Neutralization of Special Elements used in an SQL Command) occurs when user-supplied input is incorporated into SQL queries without proper sanitization or parameterization. The vulnerability is classified as "blind" because the application does not return direct error messages or query results to the attacker. Instead, attackers must infer information about the database structure and contents by observing application behavior, such as response timing differences or conditional responses.
The network-accessible attack vector means that remote, unauthenticated attackers can potentially exploit this vulnerability without requiring any user interaction. This makes the vulnerability particularly concerning for internet-facing GLPI installations with the Tasklists plugin enabled.
Root Cause
The root cause of this vulnerability is improper input validation and the absence of parameterized queries in the Tasklists plugin code. When user input is directly concatenated into SQL query strings rather than being passed through prepared statements or properly escaped, attackers can inject malicious SQL fragments that alter the intended query logic. The fix implemented in version 2.0.4 addresses this by properly sanitizing input before it is used in database queries.
Attack Vector
The attack vector for CVE-2024-56801 is network-based, allowing remote exploitation without authentication. An attacker can send specially crafted HTTP requests to a vulnerable GLPI installation with the Tasklists plugin. The malicious input is then processed by the plugin and incorporated into database queries.
Since this is a blind SQL injection, attackers typically employ techniques such as:
- Boolean-based blind injection: Crafting queries that produce different application responses based on true/false conditions
- Time-based blind injection: Using database-specific sleep functions to introduce measurable delays that indicate successful query execution
- Out-of-band data exfiltration: Leveraging database features to send data to attacker-controlled servers
For detailed technical information about the vulnerability and its exploitation, refer to the GitHub Security Advisory GHSA-c6fw-xw9x-gwjw.
Detection Methods for CVE-2024-56801
Indicators of Compromise
- Unusual or malformed HTTP requests targeting the Tasklists plugin endpoints containing SQL syntax characters such as single quotes, semicolons, or SQL keywords (UNION, SELECT, SLEEP, BENCHMARK)
- Abnormally slow response times from GLPI that may indicate time-based SQL injection attempts
- Database logs showing unexpected or malformed queries originating from the Tasklists plugin
- Increased database CPU usage or query execution times without corresponding legitimate activity
Detection Strategies
- Deploy web application firewall (WAF) rules to detect and block SQL injection patterns in requests targeting GLPI
- Enable detailed logging on the GLPI application and database servers to capture suspicious query patterns
- Implement SentinelOne's application-level monitoring to detect anomalous behavior patterns associated with SQL injection exploitation
- Monitor for automated scanning tools like SQLMap that may be used to enumerate and exploit this vulnerability
Monitoring Recommendations
- Configure database audit logging to track all queries executed by the GLPI application user
- Set up alerting for database queries containing suspicious patterns or time-based functions (e.g., SLEEP(), BENCHMARK())
- Monitor network traffic for data exfiltration patterns that may indicate successful exploitation
- Review access logs for repeated requests to Tasklists plugin endpoints with varying parameters
How to Mitigate CVE-2024-56801
Immediate Actions Required
- Upgrade the Infotel Tasklists plugin to version 2.0.4 or later immediately
- Review database logs for signs of exploitation attempts prior to patching
- Audit database contents for unauthorized modifications or data exfiltration indicators
- Consider temporarily disabling the Tasklists plugin if immediate patching is not possible
Patch Information
The vulnerability has been addressed in Tasklists plugin version 2.0.4. The fix is documented in GitHub commit 6444026e3d2b8fb22d5e5ab03fb86056e1ac9e43. Organizations should update to this version or later to remediate the vulnerability. The patch implements proper input sanitization to prevent SQL injection attacks.
Workarounds
- Deploy a web application firewall (WAF) with SQL injection detection rules to filter malicious requests targeting GLPI
- Restrict network access to GLPI to trusted IP addresses or VPN users only
- Disable the Tasklists plugin temporarily until the patch can be applied
- Implement database user privilege restrictions to limit the potential impact of SQL injection exploitation
# Example: Restrict GLPI access via Apache configuration
<Directory /var/www/glpi>
# Allow only internal network access
Require ip 10.0.0.0/8 192.168.0.0/16
# Or require VPN/authenticated users
# AuthType Basic
# AuthName "GLPI Access"
# Require valid-user
</Directory>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.


