N/A

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-mgfg-7533-7jf6

EPSS Score

CWE

Published

12/2/2024

Updated

12/2/2024

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-mgfg-7533-7jf6

GHSA-mgfg-7533-7jf6: ezsystems/ezplatform-http-cache affected by Breach with Varnish VCL

Impact

This is not a vulnerability in the code per se, but included Varnish VCL templates enable compression of API and JSON messages. This is a potential case of the BREACH vulnerability, which affects HTTP compression, where secrets can be extracted through carefully crafted requests. The fix disables compression in these templates. Please make sure to make the same change in your configuration files, see the release notes for specific instructions. Please check your web server configuration as well.

Patches

See "Patched versions".
https://github.com/ezsystems/ezplatform-http-cache/commit/ca8a5cf69b2c14fbec90412aeeef5c755c51457b

Workarounds

Make sure HTTP compression is disabled for REST API requests and other communication that might contain secrets.

References

Advisory: https://developers.ibexa.co/security-advisories/ibexa-sa-2024-006-vulnerabilities-in-content-name-pattern-commerce-shop-and-varnish-vhost-templates
Release notes: https://doc.ibexa.co/en/latest/update_and_migration/from_3.3/update_from_3.3/#v3341
https://github.com/ibexa/post-install/security/advisories/GHSA-4h8f-c635-25p7
https://github.com/ibexa/http-cache/security/advisories/GHSA-fh7v-q458-7vmw
https://www.breachattack.com/

(GitHub Advisory)

N/A

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-mgfg-7533-7jf6

EPSS Score

CWE

Published

12/2/2024

Updated

12/2/2024

KEV Status

Technology

PHP

Technical Details

CVSS Vector

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
ezsystems/ezplatform-http-cache	composer	< 2.3.16	2.3.16

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from Varnish VCL templates enabling compression for content types carrying sensitive data (JSON/API responses). The commit diff shows removal of 'application/json' and 'application/vnd.ez.api' from compression conditions in both varnish5.vcl and varnish7.vcl files. These subroutines control response handling, and their compression of secret-bearing content types created a BREACH attack surface. The direct correlation between the patch changes and vulnerability description confirms these as the vulnerable points.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t T*is is not * vuln*r**ility in t** *o** p*r s*, *ut in*lu*** V*rnis* V*L t*mpl*t*s *n**l* *ompr*ssion o* *PI *n* JSON m*ss***s. T*is is * pot*nti*l **s* o* t** *R**** vuln*r**ility, w*i** *****ts *TTP *ompr*ssion, w**r* s**r*ts **n ** *xtr

Reasoning

T** vuln*r**ility st*ms *rom V*rnis* V*L t*mpl*t*s *n**lin* *ompr*ssion *or *ont*nt typ*s **rryin* s*nsitiv* **t* (JSON/*PI r*spons*s). T** *ommit *i** s*ows r*mov*l o* '*ppli**tion/json' *n* '*ppli**tion/vn*.*z.*pi' *rom *ompr*ssion *on*itions in *o

N/A

Basic Information

Concerned about an active attack path?

GHSA-mgfg-7533-7jf6: ezsystems/ezplatform-http-cache affected by Breach with Varnish VCL

Impact

Patches

Workarounds

References

N/A

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI