CVE-2022-41876 – ezsystems/ezplatform-graphql

Package

Manager: composer
Name: ezsystems/ezplatform-graphql
Vulnerable Version: >=1.0.0-rc1 <1.0.13 || >=2.0.0-beta1 <2.3.12

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.08748 pctl0.9216

Details

ezplatform-graphql GraphQL queries can expose password hashes ### Impact Unauthenticated GraphQL queries for user accounts can expose password hashes of users that have created or modified content, typically but not necessarily limited to administrators and editors. ### Patches Resolving versions: Ibexa DXP v1.0.13, v2.3.12 ### Workarounds Remove the "passwordHash" entry from "src/bundle/Resources/config/graphql/User.types.yaml" in the GraphQL package, and other properties like hash type, email, login if you prefer. ### References This issue was reported to us by Philippe Tranca ("trancap") of the company Lexfo. We are very grateful for their research, and responsible disclosure to us of this critical vulnerability. ### For more information If you have any questions or comments about this advisory, please contact Support via your service portal.

Metadata

Created: 2022-11-10T21:46:14Z
Modified: 2022-11-10T21:46:14Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/11/GHSA-c7pc-pgf6-mfh5/GHSA-c7pc-pgf6-mfh5.json
CWE IDs: ["CWE-200", "CWE-922"]
Alternative ID: GHSA-c7pc-pgf6-mfh5
Finding: F038
Auto approve: 1