CVE-2023-25575 : What You Need to Know
Published on Feb 28, 2023, CVE-2023-25575 highlights a high severity flaw in API Platform Core versions 2.7, 3.0, and 3.1, potentially exposing secured properties within collections.
This CVE record was published on February 28, 2023, by GitHub_M, highlighting a security issue in the API Platform Core that could lead to the disclosure of secured properties within collections.
Understanding CVE-2023-25575
This vulnerability, identified as "Secured properties in API Platform Core may be accessible within collections," carries a CVSSv3 base score of 7.7, indicating a high severity level.
What is CVE-2023-25575?
API Platform Core, which serves as the server component for API Platform facilitating hypermedia and GraphQL APIs, contains a flaw where properties secured with the
securityApiPlatform\\Metadata\\ApiPropertyThe Impact of CVE-2023-25575
This vulnerability affects serialization formats, including raw JSON, typically enabled by default during API Platform installation. It may leak data to unauthorized users and hide properties that should be visible to authorized users, primarily on collection endpoints. However, item endpoints remain unaffected.
Technical Details of CVE-2023-25575
The vulnerability description indicates that the issue impacts versions 2.7, 3.0, and 3.1 of API Platform Core. Upgrading to versions 2.7.10, 3.0.12, or 3.1.3 is recommended to address the issue effectively.
Vulnerability Description
The flaw allows unauthorized access to secured properties within collections, potentially leading to data leakage and improper data visibility control.
Affected Systems and Versions
Affected versions include API Platform Core 2.7.0 to 2.7.10, 3.0.0 to 3.0.12, and 3.1.0 to 3.1.3. Users operating on these versions are at risk of the disclosed vulnerability.
Exploitation Mechanism
Unauthorized users can exploit the vulnerability to gain access to secured properties within collections, which could compromise data confidentiality and integrity.
Mitigation and Prevention
To address CVE-2023-25575 and prevent potential exploitation, immediate action and long-term security practices are crucial.
Immediate Steps to Take
Users are advised to upgrade to API Platform Core versions 2.7.10, 3.0.12, or 3.1.3 promptly to mitigate the security issue. Additionally, implementing a workaround by adjusting the context array of the Serializer can provide temporary protection.
Long-Term Security Practices
Regularly updating the API Platform Core to the latest secure versions and staying informed about security advisories are essential practices to maintain a secure environment.
Patching and Updates
Keeping the API Platform Core software up to date with the latest patches and security updates is critical in safeguarding systems against known vulnerabilities and potential threats.