Miggo Logo

CVE-2022-24784: Discoverability of user password hash in Statamic CMS

3.7

CVSS Score
3.1

Basic Information

EPSS Score
0.48604%
Published
3/29/2022
Updated
6/30/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
statamic/cmscomposer< 3.2.393.2.39
statamic/cmscomposer>= 3.3.0, < 3.3.23.3.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from API endpoints allowing regex filtering on password hash fields. The pull requests (#5568/#5604) explicitly disabled filtering by password/password_hash fields, indicating these functions previously lacked field restrictions. The UserController.index method would handle API filtering requests, while UserQueryBuilder.process() would process the actual filtering logic. Both would need modifications to implement the security restriction described in the resolution.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

## **s*ription It w*s possi*l* to *on*irm * sin*l* ***r**t*r o* * us*r's p*sswor* **s* (just t** **s*, not t** p*sswor*) usin* * sp**i*lly *r**t** r**ul*r *xpr*ssion *ilt*r in t** us*rs *n*point o* t** R*ST *PI. M*ny r*qu*sts *oul* *v*ntu*lly un*ov*

Reasoning

T** vuln*r**ility st*ms *rom *PI *n*points *llowin* r***x *ilt*rin* on p*sswor* **s* *i*l*s. T** pull r*qu*sts (#****/#****) *xpli*itly *is**l** *ilt*rin* *y p*sswor*/p*sswor*_**s* *i*l*s, in*i**tin* t**s* *un*tions pr*viously l**k** *i*l* r*stri*tio