CVE-2022-24784

Discoverability of user password hash in Statamic CMS

Severity Score

3.7

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Statamic is a Laravel and Git powered CMS. Before versions 3.2.39 and 3.3.2, it is possible to confirm a single character of a user's password hash using a specially crafted regular expression filter in the users endpoint of the REST API. Multiple such requests can eventually uncover the entire hash. The hash is not present in the response, however the presence or absence of a result confirms if the character is in the right position. The API has throttling enabled by default, making this a time intensive task. Both the REST API and the users endpoint need to be enabled, as they are disabled by default. The issue has been fixed in versions 3.2.39 and above, and 3.3.2 and above.

Statamic es un CMS basado en Laravel y Git. En versiones anteriores a 3.2.39 y 3.3.2, es posible confirmar un solo carácter del hash de la contraseña de un usuario usando un filtro de expresión regular especialmente diseñado en el endpoint de usuarios de la API REST. Varias peticiones de este tipo pueden llegar a detectar el hash completo. El hash no está presente en la respuesta, sin embargo la presencia o ausencia de un resultado confirma si el carácter está en la posición correcta. La API presenta habilitada la aceleración por defecto, lo que hace que esta tarea requiera mucho tiempo. Es necesario habilitar tanto la API REST como el endpoint de usuarios, ya que están deshabilitados por defecto. El problema ha sido solucionado en versiones 3.2.39 y superiores, y 3.3.2 y superiores

*Credits: N/A

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

Attack Vector

Network

Attack Complexity

Medium

Authentication

None

Confidentiality

Partial

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2022-02-10 CVE Reserved
2022-03-25 CVE Published
2024-08-03 CVE Updated
2024-10-29 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
CWE-203: Observable Discrepancy

CAPEC

References (3)

URL	Tag	Source
https://github.com/statamic/cms/security/advisories/GHSA-qcgx-7p5f-hxvr	Third Party Advisory

URL	Date	SRC

URL	Date	SRC
https://github.com/statamic/cms/issues/5604	2023-06-30
https://github.com/statamic/cms/pull/5568	2023-06-30

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Statamic Search vendor "Statamic"		Statamic Search vendor "Statamic" for product "Statamic"				< 3.2.39 Search vendor "Statamic" for product "Statamic" and version " < 3.2.39"		-		Affected
Statamic Search vendor "Statamic"		Statamic Search vendor "Statamic" for product "Statamic"				>= 3.3.0 < 3.3.2 Search vendor "Statamic" for product "Statamic" and version " >= 3.3.0 < 3.3.2"		-		Affected