Skip to content

GraphQL queries can expose password hashes

Critical
glye published GHSA-c7pc-pgf6-mfh5 Nov 10, 2022

Package

composer ezsystems/ezplatform-graphql (Composer)

Affected versions

v1.0.*, v2.3.*

Patched versions

v1.0.13, v2.3.12

Description

Impact

Unauthenticated GraphQL queries for user accounts can expose password hashes of users that have created or modified content, typically but not necessarily limited to administrators and editors.

Patches

Affected versions: Ibexa DXP v3.3.*, v4.2.*, eZ Platform v2.5.*
Resolving versions: Ibexa DXP v3.3.28, v4.2.3, eZ Platform v2.5.31

Workarounds

Remove the "passwordHash" entry from "src/bundle/Resources/config/graphql/User.types.yaml" in the GraphQL package, and other properties like hash type, email, login if you prefer.

References

Please see the public advisory at https://developers.ibexa.co/security-advisories/ibexa-sa-2022-009-critical-vulnerabilities-in-graphql-role-assignment-ct-editing-and-drafts-tooltips
This issue was reported to us by Philippe Tranca ("trancap") of the company Lexfo. We are very grateful for their research, and responsible disclosure to us of this critical vulnerability. https://www.lexfo.fr/

For more information

If you have any questions or comments about this advisory, please contact Support via your service portal.

Severity

Critical

CVE ID

CVE-2022-41876

Weaknesses

No CWEs

Credits