Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1jN3BjLXBnZjYtbWZoNc4AAv0a
ezplatform-graphql GraphQL queries can expose password hashes
Impact
Unauthenticated GraphQL queries for user accounts can expose password hashes of users that have created or modified content, typically but not necessarily limited to administrators and editors.
Patches
Resolving versions: Ibexa DXP v1.0.13, v2.3.12
Workarounds
Remove the "passwordHash" entry from "src/bundle/Resources/config/graphql/User.types.yaml" in the GraphQL package, and other properties like hash type, email, login if you prefer.
References
This issue was reported to us by Philippe Tranca ("trancap") of the company Lexfo. We are very grateful for their research, and responsible disclosure to us of this critical vulnerability.
For more information
If you have any questions or comments about this advisory, please contact Support via your service portal.
Permalink: https://github.com/advisories/GHSA-c7pc-pgf6-mfh5JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1jN3BjLXBnZjYtbWZoNc4AAv0a
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 1 year ago
Updated: over 1 year ago
CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Identifiers: GHSA-c7pc-pgf6-mfh5, CVE-2022-41876
References:
- https://github.com/ezsystems/ezplatform-graphql/security/advisories/GHSA-c7pc-pgf6-mfh5
- https://developers.ibexa.co/security-advisories/ibexa-sa-2022-009-critical-vulnerabilities-in-graphql-role-assignment-ct-editing-and-drafts-tooltips
- https://nvd.nist.gov/vuln/detail/CVE-2022-41876
- https://github.com/advisories/GHSA-c7pc-pgf6-mfh5
Blast Radius: 12.5
Affected Packages
packagist:ezsystems/ezplatform-graphql
Dependent packages: 16Dependent repositories: 46
Downloads: 560,816 total
Affected Version Ranges: >= 2.0.0-beta1, < 2.3.12, >= 1.0.0-rc1, < 1.0.13
Fixed in: 2.3.12, 1.0.13
All affected versions: 1.0.0, 1.0.0-rc1, 1.0.0-rc2, 1.0.0-rc3, 1.0.1, 1.0.2, 1.0.3, 1.0.5, 1.0.6, 1.0.7, 1.0.8, 1.0.9, 1.0.10, 1.0.11, 1.0.12, 2.0.0, 2.0.0-beta1, 2.0.0-beta2, 2.0.0-beta3, 2.0.0-beta4, 2.0.0-beta5, 2.0.0-rc1, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.2.2, 2.2.3, 2.3.0, 2.3.1, 2.3.2, 2.3.3, 2.3.4, 2.3.5, 2.3.6, 2.3.7, 2.3.8, 2.3.9, 2.3.10, 2.3.11
All unaffected versions: 0.3.0, 0.3.1, 0.3.2, 0.3.3, 1.0.13, 2.3.12, 2.3.13, 2.3.14, 2.3.15, 2.3.16, 2.3.17