Security
Headlines
HeadlinesLatestCVEs

Headline

Ibexa DXP patched for GraphQL password hash leak vulnerability

Organizations advised to mandate password resets out of caution

PortSwigger
#xss#vulnerability#git#auth

Organizations advised to mandate password resets out of caution

Norwegian software firm Ibexa is urging users to apply a new patch immediately to resolve a sensitive data leak vulnerability impacting its Digital Experience Platform (DXP).

DXP is a business-to-business application comprising e-commerce, data management, cloud hosting, and content management system (CMS) functionality.

The flaw resides in Ibexa’s GraphQL Bundle, the GraphQL server implementation for Ibexa DXP and Ibexa Open Source. GraphQL is an open source data query language for APIs.

Read more of the latest cybersecurity vulnerability news

“It was unfortunately a critical issue. Both because it could reveal password hashes (not passwords), hash types, email addresses, and login names of some users (typically editors and admins) but also because those users then had to change their passwords, in case there had been a leak,” Gunnstein Lye, who works on product security for Ibexa, told The Daily Swig.

However, the ‘critical’ bug, tracked as CVE-2022-41876, was ultimately assigned a ‘high’ CVSS severity score of 7.5 by GitHub and then ‘medium’ by NIST (CVSS 5.3).

On November 11, Ibexa published a security advisory concerning the issue and a trio of other, less severe vulnerabilities.

Endpoint in error

The hash leak vulnerability arose from how the endpoint insecurely stored sensitive information, allowing attackers to send unauthenticated GraphQL queries for user accounts.

“In many cases, only administrators and editors are affected, as end users often do not have the required permissions,” the advisory noted. However, if a vulnerable installation also allows user-generated content, then this could expand the security issue beyond the scope of administrator and editor accounts.

The vulnerabilities are resolved in Ibexa DXP v3.3.28, v4.2.3, and eZ Platform v2.5.31.

Ibexa developers also recommend that all user passwords are reset, and that once the update has been applied, users regenerate the GraphQL schema. While the GraphQL endpoint is enabled by default, users can choose to disable this feature or enforce logins and authentication if they choose.

‘Prescient’

Lye commented: “It’s extra unfortunate when a vulnerability can’t simply be fixed by applying an update, but requires further action like this, since it slows down the resolution for our users.

“For quite some time before this we had advised users to not keep GraphQL open on the frontend if they didn’t actually use it there. Not that we suspected any vulnerability in it, but because it’s generally wise to reduce the attack surface when you can easily do so. This turned out to be almost prescient in this case.”

Ibexa thanked Lexfo security engineer Philippe Tranca for reporting the issue.

The other resolved security flaws – a subtree limitation failure in role assignment policies, a cross-site scripting (XSS) flaw in content type entries ‘name’ and ‘short name’, and an HTML tag injection issue – require backend access with high-level privileges to exploit, said Lye.

YOU MIGHT ALSO LIKE Zendesk Explore flaws opened the door to account pillage

Related news

CVE-2022-48365: Critical vulnerabilities in GraphQL, role assignment, CT editing, and drafts tooltips

An issue was discovered in eZ Platform Ibexa Kernel before 1.3.26. The Company admin role gives excessive privileges.

GHSA-c7pc-pgf6-mfh5: ezplatform-graphql GraphQL queries can expose password hashes

### Impact Unauthenticated GraphQL queries for user accounts can expose password hashes of users that have created or modified content, typically but not necessarily limited to administrators and editors. ### Patches Resolving versions: Ibexa DXP v1.0.13, v2.3.12 ### Workarounds Remove the "passwordHash" entry from "src/bundle/Resources/config/graphql/User.types.yaml" in the GraphQL package, and other properties like hash type, email, login if you prefer. ### References This issue was reported to us by Philippe Tranca ("trancap") of the company Lexfo. We are very grateful for their research, and responsible disclosure to us of this critical vulnerability. ### For more information If you have any questions or comments about this advisory, please contact Support via your service portal.

CVE-2022-41876: GraphQL queries can expose password hashes

ezplatform-graphql is a GraphQL server implementation for Ibexa DXP and Ibexa Open Source. Versions prior to 2.3.12 and 1.0.13 are subject to Insecure Storage of Sensitive Information. Unauthenticated GraphQL queries for user accounts can expose password hashes of users that have created or modified content, typically administrators and editors. This issue has been patched in versions 2.3.12, and 1.0.13 on the 1.X branch. Users unable to upgrade can remove the "passwordHash" entry from "src/bundle/Resources/config/graphql/User.types.yaml" in the GraphQL package, and other properties like hash type, email, login if you prefer.

PortSwigger: Latest News

We’re going teetotal: It’s goodbye to The Daily Swig