CVE-2022-41876
Published: 10 November 2022
Summary
CVE-2022-41876 is a high-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Ibexa Ezplatform-Graphql. Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 11.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
CVE-2022-41876 is an insecure storage of sensitive information vulnerability in ezplatform-graphql, the GraphQL server implementation for Ibexa DXP and Ibexa Open Source. Versions prior to 2.3.12 and 1.0.13 allow unauthenticated GraphQL queries against user accounts to return password hashes for any users who have created or modified content, which typically includes administrators and editors. The issue is tracked under CWE-200 and CWE-922 with a CVSS 3.1 score of 7.5.
An attacker with network access and no credentials can issue GraphQL queries to retrieve the stored password hashes, enabling offline cracking attempts against privileged accounts and potential account takeover.
The GitHub Security Advisory GHSA-c7pc-pgf6-mfh5 states that the flaw is fixed in ezplatform-graphql 2.3.12 and 1.0.13. Administrators unable to upgrade can edit src/bundle/Resources/config/graphql/User.types.yaml to remove the passwordHash field and optionally other sensitive properties such as email or login.
EPSS for this CVE rose from a low baseline to a peak of 0.1081 on 2025-12-11 before receding to the current value of 0.0416, indicating a period of increased exploitation interest after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-7309
Vulnerability details
ezplatform-graphql is a GraphQL server implementation for Ibexa DXP and Ibexa Open Source. Versions prior to 2.3.12 and 1.0.13 are subject to Insecure Storage of Sensitive Information. Unauthenticated GraphQL queries for user accounts can expose password hashes of users that…
more
have created or modified content, typically administrators and editors. This issue has been patched in versions 2.3.12, and 1.0.13 on the 1.X branch. Users unable to upgrade can remove the "passwordHash" entry from "src/bundle/Resources/config/graphql/User.types.yaml" in the GraphQL package, and other properties like hash type, email, login if you prefer.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Documenting information locations and authorized users enables better protection against unauthorized exposure of sensitive data.
Requiring equivalent controls at the alternate storage site prevents unauthorized exposure of sensitive backup data.
Protecting confidentiality of backup information prevents unauthorized exposure of sensitive data stored in backups.
Policies mandate protection of CUI on external systems, directly reducing unauthorized exposure of sensitive information.
Categorization identifies sensitive data so that confidentiality protections commensurate with impact level are selected and documented.
Encrypting or otherwise protecting data at rest directly prevents unauthorized actors from reading sensitive information stored on disk or other media.
Fragmentation across systems ensures that exposure from any single component yields only incomplete information, directly reducing the impact of unauthorized disclosure.
OPSEC controls directly protect supply chain information from unauthorized observation or disclosure.