Ibexa DXP patched for GraphQL password hash leak vulnerability

Organizations advised to mandate password resets out of caution

Norwegian software firm Ibexa is urging users to apply a new patch immediately to resolve a sensitive data leak vulnerability impacting its Digital Experience Platform (DXP).

DXP is a business-to-business application comprising e-commerce, data management, cloud hosting, and content management system (CMS) functionality.

The flaw resides in Ibexa’s GraphQL Bundle, the GraphQL server implementation for Ibexa DXP and Ibexa Open Source. GraphQL is an open source data query language for APIs.

Read more of the latest cybersecurity vulnerability news

“It was unfortunately a critical issue. Both because it could reveal password hashes (not passwords), hash types, email addresses, and login names of some users (typically editors and admins) but also because those users then had to change their passwords, in case there had been a leak,” Gunnstein Lye, who works on product security for Ibexa, told The Daily Swig.

However, the ‘critical’ bug, tracked as CVE-2022-41876, was ultimately assigned a ‘high’ CVSS severity score of 7.5 by GitHub and then ‘medium’ by NIST (CVSS 5.3).

On November 11, Ibexa published a security advisory concerning the issue and a trio of other, less severe vulnerabilities.

Endpoint in error

The hash leak vulnerability arose from how the endpoint insecurely stored sensitive information, allowing attackers to send unauthenticated GraphQL queries for user accounts.

“In many cases, only administrators and editors are affected, as end users often do not have the required permissions,” the advisory noted. However, if a vulnerable installation also allows user-generated content, then this could expand the security issue beyond the scope of administrator and editor accounts.

The vulnerabilities are resolved in Ibexa DXP v3.3.28, v4.2.3, and eZ Platform v2.5.31.

Ibexa developers also recommend that all user passwords are reset, and that once the update has been applied, users regenerate the GraphQL schema. While the GraphQL endpoint is enabled by default, users can choose to disable this feature or enforce logins and authentication if they choose.

‘Prescient’

Lye commented: “It’s extra unfortunate when a vulnerability can’t simply be fixed by applying an update, but requires further action like this, since it slows down the resolution for our users.

“For quite some time before this we had advised users to not keep GraphQL open on the frontend if they didn’t actually use it there. Not that we suspected any vulnerability in it, but because it’s generally wise to reduce the attack surface when you can easily do so. This turned out to be almost prescient in this case.”

Ibexa thanked Lexfo security engineer Philippe Tranca for reporting the issue.

The other resolved security flaws – a subtree limitation failure in role assignment policies, a cross-site scripting (XSS) flaw in content type entries ‘name’ and ‘short name’, and an HTML tag injection issue – require backend access with high-level privileges to exploit, said Lye.

YOU MIGHT ALSO LIKE Zendesk Explore flaws opened the door to account pillage