9.8

CVSS Score

Basic Information

CVE ID

CVE-2022-48367

GHSA ID

GHSA-h5v2-wrhp-5v35

EPSS Score

CWE

CWE-862

Published

3/12/2023

Updated

8/17/2023

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-48367

CVE-2022-48367:
Access control issue in ezsystems/ezpublish-kernel

Access control based on object state is mishandled. This is a policy you can use in your roles to limit access to content based on specific object state values. Due to a flawed earlier update, these limitations were ineffective in releases made since February 16th 2022. They would grant access to the given content regardless of the object state. Depending on how your frontent is designed, knowing the URL to the content may or may not be required to access it. If you are using object state limitations in your roles, this issue is critical. Please apply the fix as soon as possible.

(GitHub Advisory)

9.8

CVSS Score

Basic Information

CVE ID

CVE-2022-48367

GHSA ID

GHSA-h5v2-wrhp-5v35

EPSS Score

CWE

CWE-862

Published

3/12/2023

Updated

8/17/2023

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
ezsystems/ezpublish-kernel	composer	>= 7.5.0, < 7.5.28	7.5.28

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability description explicitly states that object state-based access control limitations were ineffective due to a flawed update. The ObjectStateLimitationType::evaluate method is the core component responsible for evaluating whether a user meets the object state requirements. A failure in this method to properly check the object state would directly explain why access was granted regardless of state. This matches the CWE-862 (Missing Authorization) classification, as the authorization check was not properly implemented in the affected versions.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

****ss *ontrol **s** on o*j**t st*t* is mis**n*l**. T*is is * poli*y you **n us* in your rol*s to limit ****ss to *ont*nt **s** on sp**i*i* o*j**t st*t* v*lu*s. *u* to * *l*w** **rli*r up**t*, t**s* limit*tions w*r* in*****tiv* in r*l**s*s m*** sin**

Reasoning

T** vuln*r**ility **s*ription *xpli*itly st*t*s t**t o*j**t st*t*-**s** ****ss *ontrol limit*tions w*r* in*****tiv* *u* to * *l*w** up**t*. T** O*j**tSt*t*Limit*tionTyp*::*v*lu*t* m*t*o* is t** *or* *ompon*nt r*sponsi*l* *or *v*lu*tin* w**t**r * us*r

9.8

Basic Information

Concerned about an active attack path?

CVE-2022-48367: Access control issue in ezsystems/ezpublish-kernel

9.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2022-48367:
Access control issue in ezsystems/ezpublish-kernel

Vulnerability Intelligence
Miggo AI