GoogleOSV:GHSA-34FR-FHQR-7235

HistoryJul 26, 2021 - 9:16 p.m.

Information Disclosure in User Authentication

2021-07-2621:16:28

Google

osv.dev

information disclosure

user authentication

debug mode

typo3 versions

security advisory

EPSS

0.001

Percentile

26.9%

JSON

> ### Meta
> * CVSS: AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:F/RL:O/RC:C (4.9)

Problem

It has been discovered that user credentials have been logged as plaintext when explicitly using log level debug, which is not the default configuration.

Solution

Update to TYPO3 versions 7.6.52 ELTS, 8.7.41 ELTS, 9.5.28, 10.4.18, 11.3.1 that fix the problem described.

Credits

Thanks to Ingo Schmitt who reported this issue, and to TYPO3 core & security team member Benni Mack who fixed the issue.

References

TYPO3-CORE-SA-2021-012

References

github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2021-32767.yaml

github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2021-32767.yaml

github.com/TYPO3/typo3

github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-34fr-fhqr-7235

github.com/TYPO3/typo3/commit/0b4950163b8919451964133febc65bcdfcec721c

github.com/TYPO3/typo3/security/advisories/GHSA-34fr-fhqr-7235

nvd.nist.gov/vuln/detail/CVE-2021-32767

typo3.org/security/advisory/typo3-core-sa-2021-012

typo3.org/security/advisory/typo3-core-sa-2021-013

EPSS

0.001

Percentile

26.9%

JSON

Related for OSV:GHSA-34FR-FHQR-7235