CVE-2022-23497 is a vulnerability identified in FreshRSS, a free and self-hostable RSS aggregator widely used for consolidating and reading RSS feeds. The issue pertains to an unauthorized exposure of sensitive information (classified under CWE-200) due to improper access controls on user configuration files. Specifically, remote attackers can access configuration files that contain user preferences and critical authentication data. These files include hashed passwords for the FreshRSS web interface, hashed using bcrypt with a cost factor of 9 and salted, which provides a strong hashing mechanism. Additionally, if the API functionality is enabled, the configuration files may also contain hashed passwords for the GReader API (bcrypt, cost 9, salted) and the Fever API (MD5 salted). The exposure of these hashed credentials, while hashed, still poses a risk because attackers could attempt offline brute-force or dictionary attacks to recover plaintext passwords, especially for the weaker MD5 hashes. The vulnerability affects FreshRSS versions from 1.18.0 up to but not including 1.20.2. The vendor has addressed the issue in version 1.20.2 and later, and users unable to upgrade can mitigate the risk by manually patching or deleting the vulnerable file './FreshRSS/p/ext.php'. There are no known exploits in the wild at this time, but the potential for credential compromise remains significant due to the nature of the exposed data. The vulnerability does not require authentication or user interaction, increasing its risk profile as any remote attacker can exploit it simply by accessing the vulnerable endpoint.

For European organizations, the exposure of hashed passwords and user configuration data in FreshRSS can lead to several security risks. Compromise of user credentials could allow attackers to gain unauthorized access to the FreshRSS web interface, potentially enabling further lateral movement within internal networks if FreshRSS is integrated with other internal systems. This could lead to data leakage, unauthorized data manipulation, or disruption of information workflows. Since FreshRSS is often used by individuals and organizations to aggregate news and information feeds, attackers could also manipulate feed content or inject malicious links, impacting information integrity and user trust. Furthermore, if API credentials are compromised, attackers might access or manipulate API endpoints, leading to broader exposure or service disruption. The impact is heightened for organizations relying on FreshRSS for critical information aggregation or those with sensitive operational data accessible through the platform. Given the exposure of hashed passwords, there is also a risk of credential reuse attacks if users employ the same passwords elsewhere. The vulnerability's ease of exploitation without authentication increases the likelihood of opportunistic attacks, particularly targeting organizations with less mature security monitoring or patch management processes.

European organizations using FreshRSS should prioritize upgrading to version 1.20.2 or later to fully remediate this vulnerability. For environments where immediate upgrading is not feasible, applying the vendor-provided patch manually or deleting the vulnerable file './FreshRSS/p/ext.php' is a critical interim measure. Organizations should audit their FreshRSS deployments to identify affected versions and verify that no unauthorized access has occurred. Additionally, it is advisable to enforce strong, unique passwords for FreshRSS accounts and any associated APIs to mitigate risks from potential offline hash cracking. Implementing network-level access controls to restrict external access to FreshRSS instances can reduce exposure. Monitoring web server logs for unusual access patterns to configuration files or the vulnerable endpoint can help detect exploitation attempts. Organizations should also consider rotating API credentials and user passwords following remediation to invalidate any potentially compromised credentials. Finally, integrating FreshRSS instances into broader vulnerability management and patching workflows will help prevent similar issues in the future.