GHSA-3p7g-wrgg-wq45 – ibexa/graphql

Package

Manager: composer
Name: ibexa/graphql
Vulnerable Version: >=2.5.0 <2.5.31 || >=4.2.0 <4.2.3 || >=3.3.0 <3.3.28

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:F/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:A/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

GraphQL queries can expose password hashes ### Impact Unauthenticated GraphQL queries for user accounts can expose password hashes of users that have created or modified content, typically but not necessarily limited to administrators and editors. ### Patches Affected versions: Ibexa DXP v3.3.\*, v4.2.\*, eZ Platform v2.5.\* Resolving versions: Ibexa DXP v3.3.28, v4.2.3, eZ Platform v2.5.31 ### Workarounds Remove the "passwordHash" entry from "src/bundle/Resources/config/graphql/User.types.yaml" in the GraphQL package, and other properties like hash type, email, login if you prefer. ### References This issue was reported to us by Philippe Tranca ("trancap") of the company Lexfo. We are very grateful for their research, and responsible disclosure to us of this critical vulnerability. ### For more information If you have any questions or comments about this advisory, please contact Support via your service portal.

Metadata

Created: 2022-11-10T21:35:49Z
Modified: 2022-11-10T21:35:49Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/11/GHSA-3p7g-wrgg-wq45/GHSA-3p7g-wrgg-wq45.json
CWE IDs: ["CWE-916"]
Alternative ID: N/A
Finding: F052
Auto approve: 1