Описание
Insertion of Sensitive Information into Log File in typo3/cms-core
Meta
- CVSS:
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:F/RL:O/RC:C(4.9)
Problem
It has been discovered that system internal credentials or keys (e.g. database credentials) have been logged as plaintext in exception handlers, when logging the complete exception stack trace.
Solution
Update to TYPO3 versions 7.6.57 ELTS, 8.7.47 ELTS, 9.5.35 ELTS, 10.4.29, 11.5.11 that fix the problem described above.
Credits
Thanks to Marco Huber who reported this issue and to TYPO3 security member Torben Hansen who fixed the issue.
References
Ссылки
- https://github.com/TYPO3/typo3/security/advisories/GHSA-fh99-4pgr-8j99
- https://nvd.nist.gov/vuln/detail/CVE-2022-31047
- https://github.com/TYPO3/typo3/commit/c93ea692e7dfef03b7c50fe5437487545bee4d6a
- https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2022-31047.yaml
- https://typo3.org/security/advisory/typo3-core-sa-2022-002
Пакеты
typo3/cms-core
>= 7.0.0, < 7.6.57
7.6.57
typo3/cms-core
>= 8.0.0, < 8.7.47
8.7.47
typo3/cms-core
>= 9.0.0, < 9.5.35
9.5.35
typo3/cms-core
>= 10.0.0, < 10.4.29
10.4.29
typo3/cms-core
>= 11.0.0, < 11.5.11
11.5.11
typo3/cms
>= 10.0.0, < 10.4.29
10.4.29
typo3/cms
>= 11.0.0, < 11.5.11
11.5.11
Связанные уязвимости
TYPO3 is an open source web content management system. Prior to versions 7.6.57 ELTS, 8.7.47 ELTS, 9.5.34 ELTS, 10.4.29, and 11.5.11, system internal credentials or keys (e.g. database credentials) can be logged as plaintext in exception handlers, when logging the complete exception stack trace. TYPO3 versions 7.6.57 ELTS, 8.7.47 ELTS, 9.5.34 ELTS, 10.4.29, 11.5.11 contain a fix for the problem.