GHSA-fh99-4pgr-8j99: Insertion of Sensitive Information into Log File in typo3/cms-core

Package

composer typo3/cms (Composer)

Affected versions

>= 10.0.0, < 10.4.29

>= 11.0.0, < 11.5.11

Patched versions

10.4.29

11.5.11

composer typo3/cms-core (Composer)

>= 7.0.0, < 7.6.57

>= 8.0.0, < 8.7.47

>= 9.0.0, < 9.5.35

>= 10.0.0, < 10.4.29

>= 11.0.0, < 11.5.11

7.6.57

8.7.47

9.5.35

10.4.29

11.5.11

Description

Meta

• CVSS: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:F/RL:O/RC:C (4.9)

Problem

It has been discovered that system internal credentials or keys (e.g. database credentials) have been logged as plaintext in exception handlers, when logging the complete exception stack trace.

Solution

Update to TYPO3 versions 7.6.57 ELTS, 8.7.47 ELTS, 9.5.35 ELTS, 10.4.29, 11.5.11 that fix the problem described above.

Credits

Thanks to Marco Huber who reported this issue and to TYPO3 security member Torben Hansen who fixed the issue.

References

• TYPO3-CORE-SA-2022-002

References

• GHSA-fh99-4pgr-8j99
• https://nvd.nist.gov/vuln/detail/CVE-2022-31047
• TYPO3/typo3@c93ea69
• https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2022-31047.yaml
• https://typo3.org/security/advisory/typo3-core-sa-2022-002

ohader published the maintainer security advisory

Jun 14, 2022