Connect with us

Hi, what are you looking for?

Cyber Security

Ibexa DXP patched for GraphQL password hash leak vulnerability

Norwegian software firm Ibexa is urging users to apply a new patch immediately to resolve a sensitive data leak vulnerability impacting its Digital Experience Platform (DXP).

DXP is a business-to-business application comprising e-commerce, data management, cloud hosting, and content management system (CMS) functionality.

The flaw resides in Ibexa’s GraphQL Bundle, the GraphQL server implementation for Ibexa DXP and Ibexa Open Source. GraphQL is an open source data query language for APIs.

“It was unfortunately a critical issue. Both because it could reveal password hashes (not passwords), hash types, email addresses, and login names of some users (typically editors and admins) but also because those users then had to change their passwords, in case there had been a leak,” Gunnstein Lye, who works on product security for Ibexa, told The Daily Swig.

However, the ‘critical’ bug, tracked as CVE-2022-41876, was ultimately assigned a ‘high’ CVSS severity score of 7.5 by GitHub and then ‘medium’ by NIST (CVSS 5.3).

On November 11, Ibexa published a security advisory concerning the issue and a trio of other, less severe vulnerabilities.

Endpoint in error

The hash leak vulnerability arose from how the ezplatform-graphql endpoint insecurely stored sensitive information, allowing attackers to send unauthenticated GraphQL queries for user accounts.

“In many cases, only administrators and editors are affected, as end users often do not have the required permissions,” the advisory noted. However, if a vulnerable installation also allows user-generated content, then this could expand the security issue beyond the scope of administrator and editor accounts.

The vulnerabilities are resolved in Ibexa DXP v3.3.28, v4.2.3, and eZ Platform v2.5.31.

Ibexa developers also recommend that all user passwords are reset, and that once the update has been applied, users regenerate the GraphQL schema. While the GraphQL endpoint is enabled by default, users can choose to disable this feature or enforce logins and authentication if they choose.

‘Prescient’

Lye commented: “It’s extra unfortunate when a vulnerability can’t simply be fixed by applying an update, but requires further action like this, since it slows down the resolution for our users.

“For quite some time before this we had advised users to not keep GraphQL open on the frontend if they didn’t actually use it there. Not that we suspected any vulnerability in it, but because it’s generally wise to reduce the attack surface when you can easily do so. This turned out to be almost prescient in this case.”

Ibexa thanked Lexfo security engineer Philippe Tranca for reporting the issue.

The other resolved security flaws – a subtree limitation failure in role assignment policies, a cross-site scripting (XSS) flaw in content type entries ‘name’ and ‘short name’, and an HTML tag injection issue – require backend access with high-level privileges to exploit, said Lye.

Copyright 2021 Associated Press. All rights reserved.

Advertisement. Scroll to continue reading.

Source: https://portswigger.net/daily-swig/ibexa-dxp-patched-for-graphql-password-hash-leak-vulnerability

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like

Cyber Security

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has given federal agencies three weeks to secure Adobe ColdFusion servers on their networks against two...

Cyber Security

Businesses and developers are focusing more on the security of applications in their digital environment as cyber threats and data breaches continue escalating. The...

Cyber Security

HCL BigFix is an endpoint management platform that has the capability to automate discovery, management, and remediation. It can find and fix vulnerabilities on...

Cyber Security

Researchers at the RWTH Aachen University in Germany published a study revealing that tens of thousands of container images hosted on Docker Hub contain...

Copyright © 2023 Newsworthy News | Global | Political | Local | All News | Website By: Top Search SEO