CVE-2022-41876: Insecure Storage of Sensitive Information in ezplatform-graphql Prior to Versions 2.3.12 and 1..13

ezplatform-graphql is a popular GraphQL server implementation used in Ibexa DXP and Ibexa Open Source. Unfortunately, in versions prior to 2.3.12 and 1..13, these implementations suffer from a critical vulnerability that may lead to the exposure of sensitive user information. Specifically, this issue emerges from insecure storage of user account details, allowing an attacker to access password hashes of users who have created or modified content. The affected users are typically administrators and editors.

In this long-read post, we'll explore the details of CVE-2022-41876, with a focus on the vulnerability, potential impact, how to mitigate the issue, and applicable links for further reference.

Vulnerability Details

The core issue in CVE-2022-41876 stems from a lack of proper access control in the GraphQL queries. This oversight permits unauthenticated GraphQL queries to access user accounts, thereby exposing password hashes. Although these hashes may be encrypted, sophisticated attackers can still reverse-engineer them to obtain the actual passwords, which could lead to unauthorized access and potentially compromise the entire system.

Here's an example of a GraphQL query that could exploit this vulnerability

query {
  user(id: 5) {
    id
    name
    email
    passwordHash
    hashType
  }
}

As observed, the passwordHash and hashType fields are part of the query, allowing attackers to gather crucial information about targeted user accounts.

Mitigation and Patch

The good news is that this vulnerability has been addressed in versions 2.3.12 and 1..13. Users are strongly recommended to upgrade their systems to these patched versions to enhance security.

For those users who cannot immediately upgrade, there's a workaround involving the removal of specific entries from the configuration file. To do this, locate the "User.types.yaml" file in the following directory: "src/bundle/Resources/config/graphql". Then, remove the "passwordHash" entry from the file along with any other properties that could expose sensitive data, such as hash type, email, and login.

For more information about this vulnerability, you can refer to the following links

- CVE-2022-41876 Official Record
- Ibexa DXP Official Website
- Ibexa Open Source Official Website
- ezplatform-graphql GitHub Repository

Conclusion

It is essential for users of ezplatform-graphql to address CVE-2022-41876 by updating their systems to patched versions or implementing the suggested workaround. This measure will help ensure the security of sensitive user data and prevent unauthorized access to the system. Make it a priority to stay informed of vulnerabilities and apply necessary updates to maintain a robust and secure environment.

Timeline

Published on: 11/10/2022 21:15:00 UTC
Last modified on: 11/15/2022 20:10:00 UTC