Headline
GHSA-c7pc-pgf6-mfh5: ezplatform-graphql GraphQL queries can expose password hashes
Impact
Unauthenticated GraphQL queries for user accounts can expose password hashes of users that have created or modified content, typically but not necessarily limited to administrators and editors.
Patches
Resolving versions: Ibexa DXP v1.0.13, v2.3.12
Workarounds
Remove the “passwordHash” entry from “src/bundle/Resources/config/graphql/User.types.yaml” in the GraphQL package, and other properties like hash type, email, login if you prefer.
References
This issue was reported to us by Philippe Tranca (“trancap”) of the company Lexfo. We are very grateful for their research, and responsible disclosure to us of this critical vulnerability.
For more information
If you have any questions or comments about this advisory, please contact Support via your service portal.
Impact
Unauthenticated GraphQL queries for user accounts can expose password hashes of users that have created or modified content, typically but not necessarily limited to administrators and editors.
Patches
Resolving versions: Ibexa DXP v1.0.13, v2.3.12
Workarounds
Remove the “passwordHash” entry from “src/bundle/Resources/config/graphql/User.types.yaml” in the GraphQL package, and other properties like hash type, email, login if you prefer.
References
This issue was reported to us by Philippe Tranca (“trancap”) of the company Lexfo. We are very grateful for their research, and responsible disclosure to us of this critical vulnerability.
For more information
If you have any questions or comments about this advisory, please contact Support via your service portal.
References
- GHSA-c7pc-pgf6-mfh5
- https://developers.ibexa.co/security-advisories/ibexa-sa-2022-009-critical-vulnerabilities-in-graphql-role-assignment-ct-editing-and-drafts-tooltips
Related news
An issue was discovered in eZ Platform Ibexa Kernel before 1.3.26. The Company admin role gives excessive privileges.
Organizations advised to mandate password resets out of caution
ezplatform-graphql is a GraphQL server implementation for Ibexa DXP and Ibexa Open Source. Versions prior to 2.3.12 and 1.0.13 are subject to Insecure Storage of Sensitive Information. Unauthenticated GraphQL queries for user accounts can expose password hashes of users that have created or modified content, typically administrators and editors. This issue has been patched in versions 2.3.12, and 1.0.13 on the 1.X branch. Users unable to upgrade can remove the "passwordHash" entry from "src/bundle/Resources/config/graphql/User.types.yaml" in the GraphQL package, and other properties like hash type, email, login if you prefer.