Skip to content

Information Disclosure via Exception Handling/Logger

Moderate
ohader published GHSA-fh99-4pgr-8j99 Jun 14, 2022

Package

composer typo3/cms-core (Composer)

Affected versions

7.0.0-7.6.56, 8.0.0-8.7.46, 9.0.0-9.5.34, 10.0.0-10.4.28, 11.0.0-11.5.10

Patched versions

7.6.57, 8.7.47, 9.5.35, 10.4.29, 11.5.11

Description

Meta

  • CVSS: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:F/RL:O/RC:C (4.9)

Problem

It has been discovered that system internal credentials or keys (e.g. database credentials) have been logged as plaintext in exception handlers, when logging the complete exception stack trace.

Solution

Update to TYPO3 versions 7.6.57 ELTS, 8.7.47 ELTS, 9.5.35 ELTS, 10.4.29, 11.5.11 that fix the problem described above.

Credits

Thanks to Marco Huber who reported this issue and to TYPO3 security member Torben Hansen who fixed the issue.

References

Severity

Moderate
5.3
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
High
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

CVE ID

CVE-2022-31047

Weaknesses

Credits