CVE-2022-24784 : Statamic is a Laravel and Git powered CMS. Before versions 3.2.39 and 3.3.2, it

Statamic is a Laravel and Git powered CMS. Before versions 3.2.39 and 3.3.2, it is possible to confirm a single character of a user's password hash using a specially crafted regular expression filter in the users endpoint of the REST API. Multiple such requests can eventually uncover the entire hash. The hash is not present in the response, however the presence or absence of a result confirms if the character is in the right position. The API has throttling enabled by default, making this a time intensive task. Both the REST API and the users endpoint need to be enabled, as they are disabled by default. The issue has been fixed in versions 3.2.39 and above, and 3.3.2 and above.

Published 2022-03-25 22:15:08

Updated 2023-06-30 18:51:33

Source GitHub, Inc.

View at NVD, CVE.org

Vulnerability category: Information leak

Products affected by CVE-2022-24784

Statamic » Statamic
Versions from including (>=) 3.3.0 and before (<) 3.3.2
cpe:2.3:a:statamic:statamic:*:*:*:*:*:*:*:*
Matching versions
Statamic » Statamic
Versions before (<) 3.2.39
cpe:2.3:a:statamic:statamic:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2022-24784

EPSS FAQ

0.25%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 49 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2022-24784

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
4.3	MEDIUM	AV:N/AC:M/Au:N/C:P/I:N/A:N	8.6	2.9	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: Partial Integrity Impact: None Availability Impact: None
3.7	LOW	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N	2.2	1.4	NIST
Attack Vector: Network Attack Complexity: High Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: Low Integrity: None Availability: None
3.7	LOW	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N	2.2	1.4	GitHub, Inc.
Attack Vector: Network Attack Complexity: High Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: Low Integrity: None Availability: None

CWE ids for CVE-2022-24784

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Assigned by: security-advisories@github.com (Secondary)
CWE-203 Observable Discrepancy

The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor, which exposes security-relevant information about the state of the product, such as whether a particular operation was successful or not.

Assigned by: nvd@nist.gov (Primary)
CWE-326 Inadequate Encryption Strength

The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2022-24784

https://github.com/statamic/cms/issues/5604

Prevent filtering users by password hashes in the APIs by jasonvarga · Pull Request #5604 · statamic/cms · GitHub
Issue Tracking;Patch;Third Party Advisory
https://github.com/statamic/cms/security/advisories/GHSA-qcgx-7p5f-hxvr

Discoverability of user password hash via REST API · Advisory · statamic/cms · GitHub
Third Party Advisory
https://github.com/statamic/cms/pull/5568

Prevent filtering users by password hashes in the APIs by jasonvarga · Pull Request #5568 · statamic/cms · GitHub
Patch;Third Party Advisory

Jump to

Vulnerability Details : CVE-2022-24784

Products affected by CVE-2022-24784

Exploit prediction scoring system (EPSS) score for CVE-2022-24784

CVSS scores for CVE-2022-24784

CWE ids for CVE-2022-24784

References for CVE-2022-24784