3.7

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-24784

GHSA ID

GHSA-qcgx-7p5f-hxvr

EPSS Score

0.48604%

CWE

CWE-200

Published

3/29/2022

Updated

6/30/2023

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-24784

CVE-2022-24784:
Discoverability of user password hash in Statamic CMS

Description

It was possible to confirm a single character of a user's password hash (just the hash, not the password) using a specially crafted regular expression filter in the users endpoint of the REST API. Many requests could eventually uncover the entire hash.

The hash would not be in the response, however the presence or absence of a result would confirm if the character was in the right position. It would take a long time since the API has throttling enabled by default.

Additionally, the REST API would need to be enabled, as well as the users endpoint. Both of which are disabled by default.

Resolution

Filtering by password or password hash has been disabled.

Credits

We would like to thank Thibaud Kehler for reporting the issue.

(GitHub Advisory)

3.7

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-24784

GHSA ID

GHSA-qcgx-7p5f-hxvr

EPSS Score

0.48604%

CWE

CWE-200

Published

3/29/2022

Updated

6/30/2023

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
statamic/cms	composer	< 3.2.39	3.2.39
statamic/cms	composer	>= 3.3.0, < 3.3.2	3.3.2

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from API endpoints allowing regex filtering on password hash fields. The pull requests (#5568/#5604) explicitly disabled filtering by password/password_hash fields, indicating these functions previously lacked field restrictions. The UserController.index method would handle API filtering requests, while UserQueryBuilder.process() would process the actual filtering logic. Both would need modifications to implement the security restriction described in the resolution.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

## **s*ription It w*s possi*l* to *on*irm * sin*l* ***r**t*r o* * us*r's p*sswor* **s* (just t** **s*, not t** p*sswor*) usin* * sp**i*lly *r**t** r**ul*r *xpr*ssion *ilt*r in t** us*rs *n*point o* t** R*ST *PI. M*ny r*qu*sts *oul* *v*ntu*lly un*ov*

Reasoning

T** vuln*r**ility st*ms *rom *PI *n*points *llowin* r***x *ilt*rin* on p*sswor* **s* *i*l*s. T** pull r*qu*sts (#****/#****) *xpli*itly *is**l** *ilt*rin* *y p*sswor*/p*sswor*_**s* *i*l*s, in*i**tin* t**s* *un*tions pr*viously l**k** *i*l* r*stri*tio

3.7

Basic Information

Concerned about an active attack path?

CVE-2022-24784: Discoverability of user password hash in Statamic CMS

Description

Resolution

Credits

3.7

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2022-24784:
Discoverability of user password hash in Statamic CMS

Vulnerability Intelligence
Miggo AI