Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS0zcDdnLXdyZ2ctd3E0Nc4AAv0Y

GraphQL queries can expose password hashes

Impact

Unauthenticated GraphQL queries for user accounts can expose password hashes of users that have created or modified content, typically but not necessarily limited to administrators and editors.

Patches

Affected versions: Ibexa DXP v3.3.*, v4.2.*, eZ Platform v2.5.*
Resolving versions: Ibexa DXP v3.3.28, v4.2.3, eZ Platform v2.5.31

Workarounds

Remove the "passwordHash" entry from "src/bundle/Resources/config/graphql/User.types.yaml" in the GraphQL package, and other properties like hash type, email, login if you prefer.

References

This issue was reported to us by Philippe Tranca ("trancap") of the company Lexfo. We are very grateful for their research, and responsible disclosure to us of this critical vulnerability.

For more information

If you have any questions or comments about this advisory, please contact Support via your service portal.

Permalink: https://github.com/advisories/GHSA-3p7g-wrgg-wq45
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS0zcDdnLXdyZ2ctd3E0Nc4AAv0Y
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: about 2 years ago
Updated: almost 2 years ago


Identifiers: GHSA-3p7g-wrgg-wq45
References: Repository: https://github.com/ibexa/graphql
Blast Radius: 0.0

Affected Packages

packagist:ibexa/graphql
Dependent packages: 6
Dependent repositories: 4
Downloads: 480,349 total
Affected Version Ranges: >= 3.3.0, < 3.3.28, >= 4.2.0, < 4.2.3, >= 2.5.0, < 2.5.31
Fixed in: 3.3.28, 4.2.3, 2.5.31
All affected versions: 4.2.0, 4.2.1, 4.2.2
All unaffected versions: 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.5, 4.0.6, 4.0.7, 4.0.8, 4.1.0, 4.1.1, 4.1.2, 4.1.3, 4.1.4, 4.1.5, 4.2.3, 4.2.4, 4.3.0, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.4.0, 4.4.1, 4.4.2, 4.4.3, 4.4.4, 4.5.0, 4.5.1, 4.5.2, 4.5.3, 4.5.4, 4.5.5, 4.5.6, 4.5.7, 4.6.0, 4.6.1, 4.6.2, 4.6.3, 4.6.4, 4.6.5, 4.6.6, 4.6.7, 4.6.8, 4.6.9, 4.6.10, 4.6.11, 4.6.12, 4.6.13, 4.6.14, 4.6.15