CVE-2022-24784 is a vulnerability identified in Statamic CMS, a content management system built on Laravel and Git technologies. The flaw exists in versions prior to 3.2.39 and 3.3.2, specifically within the users endpoint of the REST API when it is enabled. The vulnerability allows an attacker to confirm individual characters of a user's password hash by leveraging a specially crafted regular expression filter. Although the password hash itself is not directly exposed in the API response, the presence or absence of a result from the query indicates whether a particular character is correct and in the correct position. By iteratively sending multiple requests, an attacker can gradually reconstruct the entire password hash. The API has throttling enabled by default, which limits the rate of requests and thus makes the attack time-consuming. Additionally, both the REST API and the users endpoint must be enabled for the vulnerability to be exploitable, and these are disabled by default in Statamic CMS. The vulnerability is classified under CWE-200, indicating exposure of sensitive information to unauthorized actors. No known exploits have been reported in the wild. The issue was addressed and fixed in Statamic CMS versions 3.2.39 and 3.3.2 and later.

The primary impact of this vulnerability is the potential exposure of password hashes of users, which can lead to offline brute-force or dictionary attacks to recover user passwords. If successful, attackers could gain unauthorized access to user accounts, potentially including administrative accounts, depending on the compromised credentials. For European organizations using Statamic CMS with the vulnerable versions and enabled REST API users endpoint, this could result in unauthorized data access, defacement, or further lateral movement within internal networks. The time-intensive nature of the attack due to API throttling reduces the immediacy of the threat but does not eliminate it, especially against high-value targets where attackers may invest significant time. Since the vulnerability requires the REST API and users endpoint to be enabled, organizations that have not enabled these features are not at risk. Confidentiality is primarily affected, with potential secondary impacts on integrity and availability if attackers leverage compromised credentials for further attacks. The lack of known exploits in the wild suggests limited active exploitation but does not preclude future attacks.

1. Upgrade Statamic CMS to version 3.2.39, 3.3.2, or later to apply the official patch that fixes this vulnerability. 2. If upgrading immediately is not feasible, disable the REST API or specifically the users endpoint to prevent exploitation, as these are disabled by default and only exploitable if enabled. 3. Implement strong password policies and encourage users to use complex, unique passwords to reduce the risk of successful offline cracking of exposed hashes. 4. Monitor API usage logs for unusual or repetitive requests targeting the users endpoint that may indicate an attempt to enumerate password hash characters. 5. Employ additional rate limiting or IP-based blocking to further restrict the number of API requests from suspicious sources. 6. Consider implementing multi-factor authentication (MFA) for user accounts to mitigate the impact of compromised credentials. 7. Regularly audit and review CMS configurations to ensure unnecessary features like the REST API users endpoint remain disabled unless explicitly required.