CVE-2022-24784

Name of the Vulnerable Software and Affected Versions Statamic versions prior to 3.2.39 Statamic versions prior to 3.3.2

Description The issue allows an attacker to confirm a single character of a user's password hash using a specially crafted regular expression filter in the "users" endpoint of the REST API. Multiple requests can eventually uncover the entire hash. The hash is not present in the response, but the presence or absence of a result confirms if the character is in the right position. The API has throttling enabled by default, making this a time-intensive task. Both the REST API and the users endpoint need to be enabled, as they are disabled by default.

Recommendations For versions prior to 3.2.39, update to version 3.2.39 or later. For versions prior to 3.3.2, update to version 3.3.2 or later. As a temporary workaround, consider disabling the REST API and the users endpoint until a patch is applied. Filtering by password or password hash has been disabled in the fixed versions, this change can be manually applied to mitigate the issue.