CVE-2022-41876

Source
https://cve.org/CVERecord?id=CVE-2022-41876
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-41876.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2022-41876
Aliases
Published
2022-11-10T00:00:00Z
Modified
2026-07-15T02:06:32.348057319Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
ezplatform-graphql GraphQL queries can expose password hashes
Details

ezplatform-graphql is a GraphQL server implementation for Ibexa DXP and Ibexa Open Source. Versions prior to 2.3.12 and 1.0.13 are subject to Insecure Storage of Sensitive Information. Unauthenticated GraphQL queries for user accounts can expose password hashes of users that have created or modified content, typically administrators and editors. This issue has been patched in versions 2.3.12, and 1.0.13 on the 1.X branch. Users unable to upgrade can remove the "passwordHash" entry from "src/bundle/Resources/config/graphql/User.types.yaml" in the GraphQL package, and other properties like hash type, email, login if you prefer.

Database specific
{
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/41xxx/CVE-2022-41876.json",
    "cwe_ids": [
        "CWE-200",
        "CWE-922"
    ]
}
References

Affected packages

Git / github.com/ezsystems/ezplatform

Affected ranges

Type
GIT
Repo
https://github.com/ezsystems/ezplatform
Events
Database specific
{
    "cpe": "cpe:2.3:a:ibexa:ezplatform-graphql:2.0.0:beta1:*:*:*:*:*:*",
    "source": "CPE_STRING",
    "extracted_events": [
        {
            "introduced": "2.0.0-beta1"
        },
        {
            "last_affected": "2.0.0-beta1"
        }
    ]
}
Type
GIT
Repo
https://github.com/ezsystems/ezplatform-graphql
Events
Database specific
{
    "cpe": [
        "cpe:2.3:a:ibexa:ezplatform-graphql:*:*:*:*:*:*:*:*",
        "cpe:2.3:a:ibexa:ezplatform-graphql:2.0.0:beta1:*:*:*:*:*:*"
    ],
    "source": [
        "CPE_RANGE",
        "CPE_STRING"
    ],
    "extracted_events": [
        {
            "introduced": "1.0.0"
        },
        {
            "fixed": "1.0.13"
        },
        {
            "introduced": "2.0.0"
        },
        {
            "fixed": "2.3.12"
        },
        {
            "introduced": "2.0.0-beta1"
        },
        {
            "last_affected": "2.0.0-beta1"
        }
    ]
}

Affected versions

2.*
2.0.0-beta1
v1.*
v1.0.0
v1.0.1
v1.0.2
v1.0.3
v1.0.4-rc1
v1.0.5
v1.0.6
v1.0.6-rc1
v1.0.7
v1.0.8
v1.0.9
v2.*
v2.0.0-beta1

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-41876.json"