GHSA-3p7g-wrgg-wq45

Suggest an improvement
Source
https://github.com/advisories/GHSA-3p7g-wrgg-wq45
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/11/GHSA-3p7g-wrgg-wq45/GHSA-3p7g-wrgg-wq45.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-3p7g-wrgg-wq45
Published
2022-11-10T21:35:49Z
Modified
2024-12-02T05:55:00.400907Z
Summary
GraphQL queries can expose password hashes
Details

Impact

Unauthenticated GraphQL queries for user accounts can expose password hashes of users that have created or modified content, typically but not necessarily limited to administrators and editors.

Patches

Affected versions: Ibexa DXP v3.3.*, v4.2.*, eZ Platform v2.5.* Resolving versions: Ibexa DXP v3.3.28, v4.2.3, eZ Platform v2.5.31

Workarounds

Remove the "passwordHash" entry from "src/bundle/Resources/config/graphql/User.types.yaml" in the GraphQL package, and other properties like hash type, email, login if you prefer.

References

This issue was reported to us by Philippe Tranca ("trancap") of the company Lexfo. We are very grateful for their research, and responsible disclosure to us of this critical vulnerability.

For more information

If you have any questions or comments about this advisory, please contact Support via your service portal.

Database specific
{
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-916"
    ],
    "severity": "CRITICAL",
    "github_reviewed": true,
    "github_reviewed_at": "2022-11-10T21:35:49Z"
}
References

Affected packages

Packagist / ibexa/graphql

Package

Name
ibexa/graphql
Purl
pkg:composer/ibexa/graphql

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.5.0
Fixed
2.5.31

Packagist / ibexa/graphql

Package

Name
ibexa/graphql
Purl
pkg:composer/ibexa/graphql

Affected ranges

Type
ECOSYSTEM
Events
Introduced
4.2.0
Fixed
4.2.3

Affected versions

v4.*

v4.2.0
v4.2.1
v4.2.2

Packagist / ibexa/graphql

Package

Name
ibexa/graphql
Purl
pkg:composer/ibexa/graphql

Affected ranges

Type
ECOSYSTEM
Events
Introduced
3.3.0
Fixed
3.3.28