CVE-2022-24784
low-risk
Published 2022-03-25
Statamic is a Laravel and Git powered CMS. Before versions 3.2.39 and 3.3.2, it is possible to confirm a single character of a user's password hash using a specially crafted regular expression filter in the users endpoint of the REST API. Multiple such requests can eventually uncover the entire hash. The hash is not present in the response, however the presence or absence of a result confirms if the character is in the right position. The API has throttling enabled by default, making this a time intensive task. Both the REST API and the users endpoint need to be enabled, as they are disabled by default. The issue has been fixed in versions 3.2.39 and above, and 3.3.2 and above.
Do I need to act?
-
0.27% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
3
CVSS 3.7/10
Low
NETWORK
/ HIGH complexity
Affected Products (1)
Affected Vendors
References (6)
Issue Tracking
https://github.com/statamic/cms/issues/5604
Third Party Advisory
https://github.com/statamic/cms/security/advisories/GHSA-qcgx-7p5f-hxvr
Issue Tracking
https://github.com/statamic/cms/issues/5604
Third Party Advisory
https://github.com/statamic/cms/security/advisories/GHSA-qcgx-7p5f-hxvr
19
/ 100
low-risk
Severity
13/34 · Low
Exploitability
1/34 · Minimal
Exposure
5/34 · Minimal