CVE-2023-47639

API Platform Core can leak exceptions message that may contain sensitive information

CVSS 5.3 MEDIUMEPSS 0.3%CWE-209

In short

API Platform Core was exposing detailed error messages in JSON responses that could reveal sensitive information about the system. An attacker could trigger errors to learn details about the application's internal workings.

Technical detail

CWE-209 information exposure vulnerability in API Platform Core 3.2.0-3.2.4 where non-HTTP exceptions leak detailed messages in JSON error responses. An unauthenticated attacker can trigger application errors to extract sensitive information about the system's internal state and structure.

Summary generated and translated by AI from the official description.

API Platform Core is a system to create hypermedia-driven REST and GraphQL APIs. From 3.2.0 until 3.2.4, exception messages, that are not HTTP exceptions, are visible in the JSON error response. This vulnerability is fixed in 3.2.5.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Affected products

api-platform · core

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/api-platform/core/commit/ba8a7e6538bccebf14c228e43a9339214c4d9201 https://github.com/api-platform/core/pull/5823 https://github.com/api-platform/core/security/advisories/GHSA-rfw5-cqjj-7v9r