Cyber Resilience

CVE-2022-41876

High

Published: 10 November 2022

Published
10 November 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0416 88.9th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-41876 is a high-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Ibexa Ezplatform-Graphql. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 11.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2022-41876 is an insecure storage of sensitive information vulnerability in ezplatform-graphql, the GraphQL server implementation for Ibexa DXP and Ibexa Open Source. Versions prior to 2.3.12 and 1.0.13 allow unauthenticated GraphQL queries against user accounts to return password hashes for any users who have created or modified content, which typically includes administrators and editors. The issue is tracked under CWE-200 and CWE-922 with a CVSS 3.1 score of 7.5.

An attacker with network access and no credentials can issue GraphQL queries to retrieve the stored password hashes, enabling offline cracking attempts against privileged accounts and potential account takeover.

The GitHub Security Advisory GHSA-c7pc-pgf6-mfh5 states that the flaw is fixed in ezplatform-graphql 2.3.12 and 1.0.13. Administrators unable to upgrade can edit src/bundle/Resources/config/graphql/User.types.yaml to remove the passwordHash field and optionally other sensitive properties such as email or login.

EPSS for this CVE rose from a low baseline to a peak of 0.1081 on 2025-12-11 before receding to the current value of 0.0416, indicating a period of increased exploitation interest after disclosure.

EU & UK References

Vulnerability details

ezplatform-graphql is a GraphQL server implementation for Ibexa DXP and Ibexa Open Source. Versions prior to 2.3.12 and 1.0.13 are subject to Insecure Storage of Sensitive Information. Unauthenticated GraphQL queries for user accounts can expose password hashes of users that…

more

have created or modified content, typically administrators and editors. This issue has been patched in versions 2.3.12, and 1.0.13 on the 1.X branch. Users unable to upgrade can remove the "passwordHash" entry from "src/bundle/Resources/config/graphql/User.types.yaml" in the GraphQL package, and other properties like hash type, email, login if you prefer.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

ibexa
ezplatform-graphql
2.0.0 · 1.0.0 — 1.0.13 · 2.0.0 — 2.3.12

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-200 CWE-922

Documenting information locations and authorized users enables better protection against unauthorized exposure of sensitive data.

addresses: CWE-200 CWE-922

Requiring equivalent controls at the alternate storage site prevents unauthorized exposure of sensitive backup data.

addresses: CWE-200 CWE-922

Protecting confidentiality of backup information prevents unauthorized exposure of sensitive data stored in backups.

addresses: CWE-200 CWE-922

Policies mandate protection of CUI on external systems, directly reducing unauthorized exposure of sensitive information.

addresses: CWE-200 CWE-922

Categorization identifies sensitive data so that confidentiality protections commensurate with impact level are selected and documented.

addresses: CWE-200 CWE-922

Encrypting or otherwise protecting data at rest directly prevents unauthorized actors from reading sensitive information stored on disk or other media.

addresses: CWE-200 CWE-922

Fragmentation across systems ensures that exposure from any single component yields only incomplete information, directly reducing the impact of unauthorized disclosure.

addresses: CWE-200 CWE-922

OPSEC controls directly protect supply chain information from unauthorized observation or disclosure.

References