CVE-2022-41876 is a vulnerability affecting ezsystems' ezplatform-graphql, a GraphQL server implementation used within Ibexa DXP and Ibexa Open Source platforms. The flaw exists in versions prior to 2.3.12 and 1.0.13, where unauthenticated GraphQL queries can expose sensitive user information, specifically password hashes of users who have created or modified content, including administrators and editors. This exposure results from insecure storage and improper access control of sensitive data fields within the GraphQL schema, particularly the "passwordHash" attribute defined in the User.types.yaml configuration file. Because the GraphQL API allows unauthenticated queries to retrieve this information, attackers can harvest password hashes without any authentication or user interaction. Although the password hashes themselves are not plaintext passwords, their exposure significantly increases the risk of offline brute-force or rainbow table attacks to recover user credentials. The vulnerability is classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) and CWE-922 (Insecure Storage of Sensitive Information). The issue was patched in versions 2.3.12 and 1.0.13. For users unable to upgrade, a recommended mitigation is to manually remove the "passwordHash" field and other sensitive properties such as hash type, email, and login from the GraphQL schema configuration file to prevent their exposure via unauthenticated queries. There are no known exploits in the wild reported to date, but the vulnerability's nature makes it a significant risk if left unpatched, especially in environments with privileged users whose credentials could be targeted.

For European organizations using Ibexa DXP or Ibexa Open Source platforms with vulnerable versions of ezplatform-graphql, this vulnerability poses a moderate to high risk. Exposure of password hashes of privileged users (administrators and editors) can lead to credential compromise through offline cracking attempts. Successful credential theft could result in unauthorized access to critical content management systems, enabling attackers to manipulate, delete, or exfiltrate sensitive business information. This could disrupt business operations, damage reputation, and lead to regulatory non-compliance, especially under GDPR requirements concerning data protection and breach notification. The vulnerability's exploitation does not require authentication or user interaction, increasing the attack surface and ease of exploitation. Although no active exploits are known, the presence of exposed password hashes can facilitate targeted attacks against high-value accounts. Organizations operating in sectors with high-value content or sensitive data, such as media, publishing, government, and e-commerce, are particularly at risk. Additionally, the exposure of user emails and login names (if not mitigated) can aid social engineering or phishing campaigns.

1. Immediate upgrade to ezplatform-graphql versions 2.3.12 or 1.0.13 to apply the official patch that removes exposure of sensitive fields. 2. For organizations unable to upgrade promptly, manually edit the GraphQL schema configuration file (src/bundle/Resources/config/graphql/User.types.yaml) to remove the "passwordHash" field and other sensitive attributes such as email, login, and hash type to prevent their exposure. 3. Implement network-level access controls to restrict access to the GraphQL endpoint, limiting it to trusted internal networks or authenticated users only. 4. Monitor GraphQL API logs for unusual or excessive unauthenticated queries that may indicate reconnaissance or exploitation attempts. 5. Enforce strong password policies and consider multi-factor authentication for privileged accounts to mitigate risks from potential credential compromise. 6. Regularly audit user accounts and permissions within Ibexa platforms to ensure least privilege principles are applied. 7. Educate administrators and editors about phishing and credential security to reduce the risk of credential misuse. 8. Consider deploying Web Application Firewalls (WAFs) with rules to detect and block suspicious GraphQL queries targeting sensitive fields.