GHSA-c7pc-pgf6-mfh5

Source

https://github.com/advisories/GHSA-c7pc-pgf6-mfh5

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/11/GHSA-c7pc-pgf6-mfh5/GHSA-c7pc-pgf6-mfh5.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-c7pc-pgf6-mfh5

Aliases

CVE-2022-41876

Published

2022-11-10T21:46:14Z

Modified

2023-11-08T04:10:33.464476Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

ezplatform-graphql GraphQL queries can expose password hashes

Details

Impact

Unauthenticated GraphQL queries for user accounts can expose password hashes of users that have created or modified content, typically but not necessarily limited to administrators and editors.

Patches

Resolving versions: Ibexa DXP v1.0.13, v2.3.12

Workarounds

Remove the "passwordHash" entry from "src/bundle/Resources/config/graphql/User.types.yaml" in the GraphQL package, and other properties like hash type, email, login if you prefer.

References

This issue was reported to us by Philippe Tranca ("trancap") of the company Lexfo. We are very grateful for their research, and responsible disclosure to us of this critical vulnerability.

For more information

If you have any questions or comments about this advisory, please contact Support via your service portal.

Database specific

{
    "nvd_published_at": "2022-11-10T21:15:00Z",
    "github_reviewed_at": "2022-11-10T21:46:14Z",
    "severity": "HIGH",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-200",
        "CWE-922"
    ]
}

References

Affected packages

Packagist / ezsystems/ezplatform-graphql

Package

Name: ezsystems/ezplatform-graphql
Purl: pkg:composer/ezsystems/ezplatform-graphql

Affected ranges

Type: ECOSYSTEM
Events: Introduced

1.0.0-rc1

Fixed

1.0.13

Affected versions

v1.*

v1.0.0-rc1

v1.0.0-rc2

v1.0.0-rc3

v1.0.0

v1.0.1

v1.0.2

v1.0.3

v1.0.4-rc1

v1.0.5

v1.0.6-rc1

v1.0.6

v1.0.7

v1.0.8

v1.0.9

v1.0.10

v1.0.11

v1.0.12

Packagist / ezsystems/ezplatform-graphql

Package

Name: ezsystems/ezplatform-graphql
Purl: pkg:composer/ezsystems/ezplatform-graphql

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.0.0-beta1

Fixed

2.3.12

Affected versions

v2.*

v2.0.0-beta1

v2.0.0-beta2

v2.0.0-beta3

v2.0.0-beta4

v2.0.0-beta5

v2.0.0-rc1

v2.0.0

v2.0.1

v2.1.0-beta1

v2.1.0-rc1

v2.1.0

v2.1.1

v2.2.0-beta1

v2.2.0-rc1

v2.2.0

v2.2.1

v2.2.2

v2.2.3

v2.3.0-beta1

v2.3.0-rc1

v2.3.0-rc2

v2.3.0

v2.3.1

v2.3.2

v2.3.3

v2.3.3.1

v2.3.4

v2.3.5

v2.3.6

v2.3.7

v2.3.8

v2.3.9

v2.3.10

v2.3.11