The users endpoint controller exposes a project's apiKey field to the logged-in user, provided they have permission for that endpoint. This only has impact if a project itself uses that specific field, Sulu itself does nothing with it and has no authentication per apiKey in its core.
A patch is released with Version 2.6.23 and 3.0.5.
Remove the field descriptor by patch the UserController.php File in Sulu Security Bundle.
| Base score | Version | Severity | Vector |
|---|---|---|---|
| 2.3 | 4.0 | — |
|
| Type | Value |
|---|---|
| GHSA | GHSA-9m6v-8fxc-4r44 ↗ |
| CWE id | Name |
|---|---|
| CWE-284 | Improper Access Control |
Vulnerable version ranges and first patched releases as published by GitHub.
| Ecosystem | Package | Vulnerable range | First patched | Vulnerable functions |
|---|---|---|---|---|
| composer | sulu/sulu | >= 3.0.0-alpha1, <= 3.0.5 | 3.0.6 | — |
| composer | sulu/sulu | <= 2.6.22 | 2.6.23 | — |