CVE-2022-41876

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions ezplatform-graphql versions prior to 1.0.13 ezplatform-graphql versions prior to 2.3.12

Description The issue concerns the exposure of password hashes of users who have created or modified content, typically administrators and editors, through unauthenticated GraphQL queries for user accounts. This is due to insecure storage of sensitive information.

Recommendations For versions prior to 1.0.13, update to version 1.0.13 to resolve the issue. For versions prior to 2.3.12, update to version 2.3.12 to resolve the issue. As a temporary workaround for users unable to upgrade, consider removing the passwordHash entry from src/bundle/Resources/config/graphql/User.types.yaml in the GraphQL package, and other properties like hash type, email, login if preferred.

Exploit

Fix

Information Disclosure

Insecure Storage of Sensitive Information

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-200CWE-922

Related Identifiers

CVE-2022-41876

GHSA-C7PC-PGF6-MFH5

Affected Products

Ezplatform-Graphql

CVE-2022-41876

Weakness Enumeration

Related Identifiers

Affected Products

References · 8