CVE-2022-24784: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor in statamic cms
Statamic is a Laravel and Git powered CMS. Before versions 3.2.39 and 3.3.2, it is possible to confirm a single character of a user's password hash using a specially crafted regular expression filter in the users endpoint of the REST API. Multiple such requests can eventually uncover the entire hash. The hash is not present in the response, however the presence or absence of a result confirms if the character is in the right position. The API has throttling enabled by default, making this a time intensive task. Both the REST API and the users endpoint need to be enabled, as they are disabled by default. The issue has been fixed in versions 3.2.39 and above, and 3.3.2 and above.
AI Analysis
Technical Summary
CVE-2022-24784 is a vulnerability identified in Statamic CMS, a content management system built on Laravel and Git technologies. The flaw exists in versions prior to 3.2.39 and 3.3.2, specifically within the users endpoint of the REST API when it is enabled. The vulnerability allows an attacker to confirm individual characters of a user's password hash by leveraging a specially crafted regular expression filter. Although the password hash itself is not directly exposed in the API response, the presence or absence of a result from the query indicates whether a particular character is correct and in the correct position. By iteratively sending multiple requests, an attacker can gradually reconstruct the entire password hash. The API has throttling enabled by default, which limits the rate of requests and thus makes the attack time-consuming. Additionally, both the REST API and the users endpoint must be enabled for the vulnerability to be exploitable, and these are disabled by default in Statamic CMS. The vulnerability is classified under CWE-200, indicating exposure of sensitive information to unauthorized actors. No known exploits have been reported in the wild. The issue was addressed and fixed in Statamic CMS versions 3.2.39 and 3.3.2 and later.
Potential Impact
The primary impact of this vulnerability is the potential exposure of password hashes of users, which can lead to offline brute-force or dictionary attacks to recover user passwords. If successful, attackers could gain unauthorized access to user accounts, potentially including administrative accounts, depending on the compromised credentials. For European organizations using Statamic CMS with the vulnerable versions and enabled REST API users endpoint, this could result in unauthorized data access, defacement, or further lateral movement within internal networks. The time-intensive nature of the attack due to API throttling reduces the immediacy of the threat but does not eliminate it, especially against high-value targets where attackers may invest significant time. Since the vulnerability requires the REST API and users endpoint to be enabled, organizations that have not enabled these features are not at risk. Confidentiality is primarily affected, with potential secondary impacts on integrity and availability if attackers leverage compromised credentials for further attacks. The lack of known exploits in the wild suggests limited active exploitation but does not preclude future attacks.
Mitigation Recommendations
1. Upgrade Statamic CMS to version 3.2.39, 3.3.2, or later to apply the official patch that fixes this vulnerability. 2. If upgrading immediately is not feasible, disable the REST API or specifically the users endpoint to prevent exploitation, as these are disabled by default and only exploitable if enabled. 3. Implement strong password policies and encourage users to use complex, unique passwords to reduce the risk of successful offline cracking of exposed hashes. 4. Monitor API usage logs for unusual or repetitive requests targeting the users endpoint that may indicate an attempt to enumerate password hash characters. 5. Employ additional rate limiting or IP-based blocking to further restrict the number of API requests from suspicious sources. 6. Consider implementing multi-factor authentication (MFA) for user accounts to mitigate the impact of compromised credentials. 7. Regularly audit and review CMS configurations to ensure unnecessary features like the REST API users endpoint remain disabled unless explicitly required.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Italy, Spain, Poland
CVE-2022-24784: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor in statamic cms
Description
Statamic is a Laravel and Git powered CMS. Before versions 3.2.39 and 3.3.2, it is possible to confirm a single character of a user's password hash using a specially crafted regular expression filter in the users endpoint of the REST API. Multiple such requests can eventually uncover the entire hash. The hash is not present in the response, however the presence or absence of a result confirms if the character is in the right position. The API has throttling enabled by default, making this a time intensive task. Both the REST API and the users endpoint need to be enabled, as they are disabled by default. The issue has been fixed in versions 3.2.39 and above, and 3.3.2 and above.
AI-Powered Analysis
Technical Analysis
CVE-2022-24784 is a vulnerability identified in Statamic CMS, a content management system built on Laravel and Git technologies. The flaw exists in versions prior to 3.2.39 and 3.3.2, specifically within the users endpoint of the REST API when it is enabled. The vulnerability allows an attacker to confirm individual characters of a user's password hash by leveraging a specially crafted regular expression filter. Although the password hash itself is not directly exposed in the API response, the presence or absence of a result from the query indicates whether a particular character is correct and in the correct position. By iteratively sending multiple requests, an attacker can gradually reconstruct the entire password hash. The API has throttling enabled by default, which limits the rate of requests and thus makes the attack time-consuming. Additionally, both the REST API and the users endpoint must be enabled for the vulnerability to be exploitable, and these are disabled by default in Statamic CMS. The vulnerability is classified under CWE-200, indicating exposure of sensitive information to unauthorized actors. No known exploits have been reported in the wild. The issue was addressed and fixed in Statamic CMS versions 3.2.39 and 3.3.2 and later.
Potential Impact
The primary impact of this vulnerability is the potential exposure of password hashes of users, which can lead to offline brute-force or dictionary attacks to recover user passwords. If successful, attackers could gain unauthorized access to user accounts, potentially including administrative accounts, depending on the compromised credentials. For European organizations using Statamic CMS with the vulnerable versions and enabled REST API users endpoint, this could result in unauthorized data access, defacement, or further lateral movement within internal networks. The time-intensive nature of the attack due to API throttling reduces the immediacy of the threat but does not eliminate it, especially against high-value targets where attackers may invest significant time. Since the vulnerability requires the REST API and users endpoint to be enabled, organizations that have not enabled these features are not at risk. Confidentiality is primarily affected, with potential secondary impacts on integrity and availability if attackers leverage compromised credentials for further attacks. The lack of known exploits in the wild suggests limited active exploitation but does not preclude future attacks.
Mitigation Recommendations
1. Upgrade Statamic CMS to version 3.2.39, 3.3.2, or later to apply the official patch that fixes this vulnerability. 2. If upgrading immediately is not feasible, disable the REST API or specifically the users endpoint to prevent exploitation, as these are disabled by default and only exploitable if enabled. 3. Implement strong password policies and encourage users to use complex, unique passwords to reduce the risk of successful offline cracking of exposed hashes. 4. Monitor API usage logs for unusual or repetitive requests targeting the users endpoint that may indicate an attempt to enumerate password hash characters. 5. Employ additional rate limiting or IP-based blocking to further restrict the number of API requests from suspicious sources. 6. Consider implementing multi-factor authentication (MFA) for user accounts to mitigate the impact of compromised credentials. 7. Regularly audit and review CMS configurations to ensure unnecessary features like the REST API users endpoint remain disabled unless explicitly required.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2022-02-10T00:00:00.000Z
- Cisa Enriched
- true
Threat ID: 682d9843c4522896dcbf2b53
Added to database: 5/21/2025, 9:09:23 AM
Last enriched: 6/23/2025, 11:51:24 AM
Last updated: 8/7/2025, 12:58:18 AM
Views: 12
Related Threats
CVE-2025-43735: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Liferay Portal
MediumCVE-2025-40770: CWE-300: Channel Accessible by Non-Endpoint in Siemens SINEC Traffic Analyzer
HighCVE-2025-40769: CWE-1164: Irrelevant Code in Siemens SINEC Traffic Analyzer
HighCVE-2025-40768: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor in Siemens SINEC Traffic Analyzer
HighCVE-2025-40767: CWE-250: Execution with Unnecessary Privileges in Siemens SINEC Traffic Analyzer
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.