Skip to content

Information Disclosure in User Authentication

Moderate
ohader published GHSA-34fr-fhqr-7235 Jul 20, 2021

Package

composer typo3/cms-core (Composer)

Affected versions

7.0.0-7.6.51, 8.0.0-8.7.40, 9.0.0-9.5.27, 10.0.0-10.4.17, 11.0.0-11.3.0

Patched versions

7.6.52, 8.7.41, 9.5.28, 10.4.18, 11.3.1

Description

Meta

  • CVSS: AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:F/RL:O/RC:C (4.9)

Problem

It has been discovered that user credentials have been logged as plaintext when explicitly using log level debug, which is not the default configuration.

Solution

Update to TYPO3 versions 7.6.52 ELTS, 8.7.41 ELTS, 9.5.28, 10.4.18, 11.3.1 that fix the problem described.

Credits

Thanks to Ingo Schmitt who reported this issue, and to TYPO3 core & security team member Benni Mack who fixed the issue.

References

Severity

Moderate

CVE ID

CVE-2021-32767

Weaknesses

Insertion of Sensitive Information into Log File

Information written to log files can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information. Learn more on MITRE.