CVE-2022-41876 HIGH

CVE-2022-41876: ezplatform-graphql GraphQL queries can expose password hashes

Vendor Ezsystems

Product ezplatform-graphql

Weakness CWE-200 · Info exposure

Published November 10, 2022

Last update April 23, 2025

View on NVD All CVEs

CVSS base score

7.5/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality High

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

ezplatform-graphql is a GraphQL server implementation for Ibexa DXP and Ibexa Open Source. Versions prior to 2.3.12 and 1.0.13 are subject to Insecure Storage of Sensitive Information. Unauthenticated GraphQL queries for user accounts can expose password hashes of users that have created or modified content, typically administrators and editors. This issue has been patched in versions 2.3.12, and 1.0.13 on the 1.X branch. Users unable to upgrade can remove the "passwordHash" entry from "src/bundle/Resources/config/graphql/User.types.yaml" in the GraphQL package, and other properties like hash type, email, login if you prefer.

Key dates

02Disclosure timeline

November 10, 2022 CVE published

April 23, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2022-41876

Related vulnerabilities

Identifiers

CVE CVE-2022-41876

CWE CWE-200

CVSS 7.5 / HIGH

Affected versions

Vendor Ezsystems

Product ezplatform-graphql

Affected < 1.0.13

Vendor Ezsystems

Product ezplatform-graphql

Affected >= v2.0.0-beta1, < 2.3.12

CVE-2022-41876: ezplatform-graphql GraphQL queries can expose password hashes

01Description

02Disclosure timeline

03References

04Related CVE