pysec - pysec-2022-178

PYSEC-2022-178

Vulnerability from pysec - Published: 2022-03-31 23:15 - Updated: 2022-04-11 00:47

Details

Internet Routing Registry daemon version 4 is an IRR database server, processing IRR objects in the RPSL format. IRRd did not always filter password hashes in query responses relating to mntner objects and database exports. This may have allowed adversaries to retrieve some of these hashes, perform a brute-force search for the clear-text passphrase, and use these to make unauthorised changes to affected IRR objects. This issue only affected instances that process password hashes, which means it is limited to IRRd instances that serve authoritative databases. IRRd instances operating solely as mirrors of other IRR databases are not affected. This has been fixed in IRRd 4.2.3 and the main branch. Versions in the 4.1.x series never were affected. Users of the 4.2.x series are strongly recommended to upgrade. There are no known workarounds for this issue.

Impacted products

Name	purl
irrd	pkg:pypi/irrd

Aliases

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "irrd",
        "purl": "pkg:pypi/irrd"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "fdffaf8dd71713f06e99dff417e6aa1e6fa84b70"
            },
            {
              "fixed": "0e41bae8d3d27316381a2fc7b466597230e35ec6"
            }
          ],
          "repo": "https://github.com/irrdnet/irrd",
          "type": "GIT"
        },
        {
          "events": [
            {
              "introduced": "4.2.0"
            },
            {
              "fixed": "4.2.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "4.2.0",
        "4.2.1",
        "4.2.2"
      ]
    }
  ],
  "aliases": [
    "CVE-2022-24798",
    "GHSA-cqxx-66wh-8pjw"
  ],
  "details": "Internet Routing Registry daemon version 4 is an IRR database server, processing IRR objects in the RPSL format. IRRd did not always filter password hashes in query responses relating to `mntner` objects and database exports. This may have allowed adversaries to retrieve some of these hashes, perform a brute-force search for the clear-text passphrase, and use these to make unauthorised changes to affected IRR objects. This issue only affected instances that process password hashes, which means it is limited to IRRd instances that serve authoritative databases. IRRd instances operating solely as mirrors of other IRR databases are not affected. This has been fixed in IRRd 4.2.3 and the main branch. Versions in the 4.1.x series never were affected. Users of the 4.2.x series are strongly recommended to upgrade. There are no known workarounds for this issue.",
  "id": "PYSEC-2022-178",
  "modified": "2022-04-11T00:47:25.619560Z",
  "published": "2022-03-31T23:15:00Z",
  "references": [
    {
      "type": "FIX",
      "url": "https://github.com/irrdnet/irrd/commit/fdffaf8dd71713f06e99dff417e6aa1e6fa84b70"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/irrdnet/irrd/security/advisories/GHSA-cqxx-66wh-8pjw"
    },
    {
      "type": "FIX",
      "url": "https://github.com/irrdnet/irrd/commit/0e41bae8d3d27316381a2fc7b466597230e35ec6"
    }
  ]
}

CVE-2022-24798 (GCVE-0-2022-24798)

Vulnerability from cvelistv5 – Published: 2022-03-31 23:05 – Updated: 2025-04-23 18:42

Title

Insufficient password hash filtering in some IRRd queries and exports

Summary

Internet Routing Registry daemon version 4 is an IRR database server, processing IRR objects in the RPSL format. IRRd did not always filter password hashes in query responses relating to `mntner` objects and database exports. This may have allowed adversaries to retrieve some of these hashes, perform a brute-force search for the clear-text passphrase, and use these to make unauthorised changes to affected IRR objects. This issue only affected instances that process password hashes, which means it is limited to IRRd instances that serve authoritative databases. IRRd instances operating solely as mirrors of other IRR databases are not affected. This has been fixed in IRRd 4.2.3 and the main branch. Versions in the 4.1.x series never were affected. Users of the 4.2.x series are strongly recommended to upgrade. There are no known workarounds for this issue.

Severity ?

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE

CWE-212 - Improper Removal of Sensitive Information Before Storage or Transfer

Assigner

GitHub_M

References

URL

Tags

	https://github.com/irrdnet/irrd/security/advisori…	x_refsource_CONFIRM
	https://github.com/irrdnet/irrd/commit/0e41bae8d3…	x_refsource_MISC
	https://github.com/irrdnet/irrd/commit/fdffaf8dd7…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	irrdnet	irrd	Affected: >= 4.2.0, < 4.2.3

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T04:20:50.494Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/irrdnet/irrd/security/advisories/GHSA-cqxx-66wh-8pjw"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/irrdnet/irrd/commit/0e41bae8d3d27316381a2fc7b466597230e35ec6"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/irrdnet/irrd/commit/fdffaf8dd71713f06e99dff417e6aa1e6fa84b70"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2022-24798",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-23T15:56:13.226871Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-04-23T18:42:27.985Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "irrd",
          "vendor": "irrdnet",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 4.2.0, \u003c 4.2.3"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Internet Routing Registry daemon version 4 is an IRR database server, processing IRR objects in the RPSL format. IRRd did not always filter password hashes in query responses relating to `mntner` objects and database exports. This may have allowed adversaries to retrieve some of these hashes, perform a brute-force search for the clear-text passphrase, and use these to make unauthorised changes to affected IRR objects. This issue only affected instances that process password hashes, which means it is limited to IRRd instances that serve authoritative databases. IRRd instances operating solely as mirrors of other IRR databases are not affected. This has been fixed in IRRd 4.2.3 and the main branch. Versions in the 4.1.x series never were affected. Users of the 4.2.x series are strongly recommended to upgrade. There are no known workarounds for this issue."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-212",
              "description": "CWE-212: Improper Removal of Sensitive Information Before Storage or Transfer",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-03-31T23:05:11.000Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/irrdnet/irrd/security/advisories/GHSA-cqxx-66wh-8pjw"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/irrdnet/irrd/commit/0e41bae8d3d27316381a2fc7b466597230e35ec6"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/irrdnet/irrd/commit/fdffaf8dd71713f06e99dff417e6aa1e6fa84b70"
        }
      ],
      "source": {
        "advisory": "GHSA-cqxx-66wh-8pjw",
        "discovery": "UNKNOWN"
      },
      "title": "Insufficient password hash filtering in some IRRd queries and exports",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2022-24798",
          "STATE": "PUBLIC",
          "TITLE": "Insufficient password hash filtering in some IRRd queries and exports"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "irrd",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "\u003e= 4.2.0, \u003c 4.2.3"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "irrdnet"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Internet Routing Registry daemon version 4 is an IRR database server, processing IRR objects in the RPSL format. IRRd did not always filter password hashes in query responses relating to `mntner` objects and database exports. This may have allowed adversaries to retrieve some of these hashes, perform a brute-force search for the clear-text passphrase, and use these to make unauthorised changes to affected IRR objects. This issue only affected instances that process password hashes, which means it is limited to IRRd instances that serve authoritative databases. IRRd instances operating solely as mirrors of other IRR databases are not affected. This has been fixed in IRRd 4.2.3 and the main branch. Versions in the 4.1.x series never were affected. Users of the 4.2.x series are strongly recommended to upgrade. There are no known workarounds for this issue."
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-212: Improper Removal of Sensitive Information Before Storage or Transfer"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/irrdnet/irrd/security/advisories/GHSA-cqxx-66wh-8pjw",
              "refsource": "CONFIRM",
              "url": "https://github.com/irrdnet/irrd/security/advisories/GHSA-cqxx-66wh-8pjw"
            },
            {
              "name": "https://github.com/irrdnet/irrd/commit/0e41bae8d3d27316381a2fc7b466597230e35ec6",
              "refsource": "MISC",
              "url": "https://github.com/irrdnet/irrd/commit/0e41bae8d3d27316381a2fc7b466597230e35ec6"
            },
            {
              "name": "https://github.com/irrdnet/irrd/commit/fdffaf8dd71713f06e99dff417e6aa1e6fa84b70",
              "refsource": "MISC",
              "url": "https://github.com/irrdnet/irrd/commit/fdffaf8dd71713f06e99dff417e6aa1e6fa84b70"
            }
          ]
        },
        "source": {
          "advisory": "GHSA-cqxx-66wh-8pjw",
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2022-24798",
    "datePublished": "2022-03-31T23:05:11.000Z",
    "dateReserved": "2022-02-10T00:00:00.000Z",
    "dateUpdated": "2025-04-23T18:42:27.985Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

GHSA-CQXX-66WH-8PJW

Vulnerability from github – Published: 2022-04-01 13:59 – Updated: 2024-09-24 21:11

Summary

Improper Removal of Sensitive Information Before Storage or Transfer in irrd

Details

IRRd did not always filter password hashes in query responses relating to mntner objects and database exports. This may have allowed adversaries to retrieve some of these hashes, perform a brute-force search for the clear-text passphrase, and use these to make unauthorised changes to affected IRR objects. This issue only affected instances that process password hashes, which means it is limited to IRRd instances that serve authoritative databases. IRRd instances operating solely as mirrors of other IRR databases are not affected.

The issue occurred: * For mntner objects where all password hash names (MD5-PW and CRYPT-PW) were in lower or mixed case in the auth attribute. For these objects, hashes remained in the output of all queries of any method and all database exports made with the export_destination setting. Fortunately, objects in the common public IRR database virtually all use uppercase hash names which means very few of those objects were affected. * For any GraphQL queries that queried the auth field on mntner objects. * For any GraphQL queries that queried the objectText field on the journal field on mntner objects, if the nrtm_access_list setting permitted journal access.

The two GraphQL cases are visible in logs, allowing users to determine whether any existing objects had their hashes exposed. This has been fixed in IRRd 4.2.3 and the main branch. Versions in the 4.1.x series never were affected. Users of the 4.2.x series are strongly recommended to upgrade. All users running a more recent version from the main branch should update to the latest version. Alternatively, but not recommended, apply the patch manually [for 4.2.x]

Severity ?

7.5 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

7.1 (High)


                  
                    CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "irrd"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.2.0"
            },
            {
              "fixed": "4.2.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-24798"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-212"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-04-01T13:59:17Z",
    "nvd_published_at": "2022-03-31T23:15:00Z",
    "severity": "HIGH"
  },
  "details": "IRRd did not always filter password hashes in query responses relating to `mntner` objects and database exports. This may have allowed adversaries to retrieve some of these hashes, perform a brute-force search for the clear-text passphrase, and use these to make unauthorised changes to affected IRR objects. This issue only affected instances that process password hashes, which means it is limited to IRRd instances that serve authoritative databases. IRRd instances operating solely as mirrors of other IRR databases are not affected.\n\nThe issue occurred:\n* For `mntner` objects where all password hash names (`MD5-PW` and `CRYPT-PW`) were in lower or mixed case in the `auth` attribute. For these objects, hashes remained in the output of all queries of any method and all database exports made with the `export_destination` setting. Fortunately, objects in the common public IRR database virtually all use uppercase hash names which means very few of those objects were affected.\n* For any GraphQL queries that queried the `auth` field on `mntner` objects.\n* For any GraphQL queries that queried the `objectText` field on the `journal` field on `mntner` objects, if the `nrtm_access_list` setting permitted journal access.\n\nThe two GraphQL cases are visible in logs, allowing users to determine whether any existing objects had their hashes exposed.\nThis has been fixed in IRRd 4.2.3 and the main branch. Versions in the 4.1.x series never were affected. Users of the 4.2.x series are strongly recommended to upgrade. All users running a more recent version from the main branch should update to the latest version. Alternatively, but not recommended, apply the patch manually [for 4.2.x]",
  "id": "GHSA-cqxx-66wh-8pjw",
  "modified": "2024-09-24T21:11:09Z",
  "published": "2022-04-01T13:59:17Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/irrdnet/irrd/security/advisories/GHSA-cqxx-66wh-8pjw"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24798"
    },
    {
      "type": "WEB",
      "url": "https://github.com/irrdnet/irrd/commit/0e41bae8d3d27316381a2fc7b466597230e35ec6"
    },
    {
      "type": "WEB",
      "url": "https://github.com/irrdnet/irrd/commit/fdffaf8dd71713f06e99dff417e6aa1e6fa84b70"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/irrdnet/irrd"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/irrd/PYSEC-2022-178.yaml"
    },
    {
      "type": "WEB",
      "url": "https://irrd.readthedocs.io/en/stable/releases/4.2.3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Improper Removal of Sensitive Information Before Storage or Transfer in irrd"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

PYSEC-2022-178

CVE-2022-24798 (GCVE-0-2022-24798)

GHSA-CQXX-66WH-8PJW

Tags

Sightings

Nomenclature