Headline
GHSA-j65r-g7q2-f8v3: Pimcore customers' list user password hash is disclosed
Impact
The customer view exposes the hashed password along with other deails. An attacker is then able to enum password of a particular id, likewise we can replace id with other user , for example 1015, password hash can be disclosed which can be further cracked with hashcat
Patches
Update to version 3.3.10 or apply this patch manually https://github.com/pimcore/customer-data-framework/commit/d1d58c10313f080737dc1e71fab3beb12488a1e6.patch
Workarounds
Apply https://github.com/pimcore/customer-data-framework/commit/d1d58c10313f080737dc1e71fab3beb12488a1e6.patch manually.
References
https://huntr.dev/bounties/db6c32f4-742e-4262-8fd5-cefd0f133416/
Package
composer pimcore/customer-management-framework-bundle (Composer)
Affected versions
< 3.3.10
Patched versions
3.3.10
Description
Impact
The customer view exposes the hashed password along with other deails. An attacker is then able to enum password of a particular id, likewise we can replace id with other user , for example 1015, password hash can be disclosed which can be further cracked with hashcat
Patches
Update to version 3.3.10 or apply this patch manually https://github.com/pimcore/customer-data-framework/commit/d1d58c10313f080737dc1e71fab3beb12488a1e6.patch
Workarounds
Apply https://github.com/pimcore/customer-data-framework/commit/d1d58c10313f080737dc1e71fab3beb12488a1e6.patch manually.
References
https://huntr.dev/bounties/db6c32f4-742e-4262-8fd5-cefd0f133416/
References
- GHSA-j65r-g7q2-f8v3
- https://nvd.nist.gov/vuln/detail/CVE-2023-2881
- pimcore/customer-data-framework@d1d58c1
- https://huntr.dev/bounties/db6c32f4-742e-4262-8fd5-cefd0f133416
dvesh3 published to pimcore/customer-data-framework
May 25, 2023
Published to the GitHub Advisory Database
May 25, 2023
Reviewed
May 25, 2023
Last updated
May 25, 2023
Related news
Storing Passwords in a Recoverable Format in GitHub repository pimcore/customer-data-framework prior to 3.3.10.