CVE-2023-31133 - Vulnerability Details - OpenCVE

Ghost is an app for new-media creators with tools to build a website, publish content, send newsletters, and offer paid subscriptions to members. Prior to version 5.46.1, due to a lack of validation when filtering on the public API endpoints, it is possible to reveal private fields via a brute force attack.

Ghost(Pro) has already been patched. Maintainers can find no evidence that the issue was exploited on Ghost(Pro) prior to the patch being added. Self-hosters are impacted if running Ghost a version below v5.46.1. v5.46.1 contains a fix for this issue. As a workaround, add a block for requests to `/ghost/api/content/*` where the `filter` query parameter contains `password` or `email`.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.17041.

Exploitation none

Automatable yes

Technical Impact partial

Vendors	Products
Ghost	Ghost

Configuration 1 [-]

cpe:2.3:a:ghost:ghost:*:*:*:*:*:node.js:*:*

No data.

No data.

Advisories

Source	ID	Title
Github GHSA	GHSA-r97q-ghch-82j9	Ghost vulnerable to information disclosure of private API fields

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://github.com/TryGhost/Ghost/commit/b3caf16005289cc9909488391b4a26f3f4a66a90
https://github.com/TryGhost/Ghost/releases/tag/v5.46.1
https://github.com/TryGhost/Ghost/security/advisories/GHSA-r97q-ghch-82j9

History

Wed, 29 Jan 2025 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2023-05-08T20:56:39.299Z

Updated: 2025-01-29T14:53:24.054Z

Reserved: 2023-04-24T21:44:10.416Z

Link: CVE-2023-31133

Vulnrichment

Updated: 2024-08-02T14:45:25.764Z

NVD

Status : Modified

Published: 2023-05-08T21:15:11.600

Modified: 2024-11-21T08:01:27.613

Link: CVE-2023-31133

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-31133", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-04-24T21:44:10.416Z", "datePublished": "2023-05-08T20:56:39.299Z", "dateUpdated": "2025-01-29T14:53:24.054Z"}, "containers": {"cna": {"title": "Ghost vulnerable to disclosure of private API fields", "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "lang": "en", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/TryGhost/Ghost/security/advisories/GHSA-r97q-ghch-82j9", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/TryGhost/Ghost/security/advisories/GHSA-r97q-ghch-82j9"}, {"name": "https://github.com/TryGhost/Ghost/commit/b3caf16005289cc9909488391b4a26f3f4a66a90", "tags": ["x_refsource_MISC"], "url": "https://github.com/TryGhost/Ghost/commit/b3caf16005289cc9909488391b4a26f3f4a66a90"}, {"name": "https://github.com/TryGhost/Ghost/releases/tag/v5.46.1", "tags": ["x_refsource_MISC"], "url": "https://github.com/TryGhost/Ghost/releases/tag/v5.46.1"}], "affected": [{"vendor": "TryGhost", "product": "Ghost", "versions": [{"version": "< 5.46.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-05-08T20:56:39.299Z"}, "descriptions": [{"lang": "en", "value": "Ghost is an app for new-media creators with tools to build a website, publish content, send newsletters, and offer paid subscriptions to members. Prior to version 5.46.1, due to a lack of validation when filtering on the public API endpoints, it is possible to reveal private fields via a brute force attack.\n\nGhost(Pro) has already been patched. Maintainers can find no evidence that the issue was exploited on Ghost(Pro) prior to the patch being added. Self-hosters are impacted if running Ghost a version below v5.46.1. v5.46.1 contains a fix for this issue. As a workaround, add a block for requests to `/ghost/api/content/*` where the `filter` query parameter contains `password` or `email`."}], "source": {"advisory": "GHSA-r97q-ghch-82j9", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T14:45:25.764Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/TryGhost/Ghost/security/advisories/GHSA-r97q-ghch-82j9", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/TryGhost/Ghost/security/advisories/GHSA-r97q-ghch-82j9"}, {"name": "https://github.com/TryGhost/Ghost/commit/b3caf16005289cc9909488391b4a26f3f4a66a90", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/TryGhost/Ghost/commit/b3caf16005289cc9909488391b4a26f3f4a66a90"}, {"name": "https://github.com/TryGhost/Ghost/releases/tag/v5.46.1", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/TryGhost/Ghost/releases/tag/v5.46.1"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-01-29T14:53:14.110577Z", "id": "CVE-2023-31133", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-01-29T14:53:24.054Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/TryGhost/Ghost/security/advisories/GHSA-r97q-ghch-82j9", "name": "https://github.com/TryGhost/Ghost/security/advisories/GHSA-r97q-ghch-82j9", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/TryGhost/Ghost/commit/b3caf16005289cc9909488391b4a26f3f4a66a90", "name": "https://github.com/TryGhost/Ghost/commit/b3caf16005289cc9909488391b4a26f3f4a66a90", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/TryGhost/Ghost/releases/tag/v5.46.1", "name": "https://github.com/TryGhost/Ghost/releases/tag/v5.46.1", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T14:45:25.764Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-31133", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-01-29T14:53:14.110577Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-01-29T14:53:20.644Z"}}], "cna": {"title": "Ghost vulnerable to disclosure of private API fields", "source": {"advisory": "GHSA-r97q-ghch-82j9", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "TryGhost", "product": "Ghost", "versions": [{"status": "affected", "version": "< 5.46.1"}]}], "references": [{"url": "https://github.com/TryGhost/Ghost/security/advisories/GHSA-r97q-ghch-82j9", "name": "https://github.com/TryGhost/Ghost/security/advisories/GHSA-r97q-ghch-82j9", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/TryGhost/Ghost/commit/b3caf16005289cc9909488391b4a26f3f4a66a90", "name": "https://github.com/TryGhost/Ghost/commit/b3caf16005289cc9909488391b4a26f3f4a66a90", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/TryGhost/Ghost/releases/tag/v5.46.1", "name": "https://github.com/TryGhost/Ghost/releases/tag/v5.46.1", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Ghost is an app for new-media creators with tools to build a website, publish content, send newsletters, and offer paid subscriptions to members. Prior to version 5.46.1, due to a lack of validation when filtering on the public API endpoints, it is possible to reveal private fields via a brute force attack.\n\nGhost(Pro) has already been patched. Maintainers can find no evidence that the issue was exploited on Ghost(Pro) prior to the patch being added. Self-hosters are impacted if running Ghost a version below v5.46.1. v5.46.1 contains a fix for this issue. As a workaround, add a block for requests to `/ghost/api/content/*` where the `filter` query parameter contains `password` or `email`."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-200", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-05-08T20:56:39.299Z"}}}, "cveMetadata": {"cveId": "CVE-2023-31133", "state": "PUBLISHED", "dateUpdated": "2025-01-29T14:53:24.054Z", "dateReserved": "2023-04-24T21:44:10.416Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2023-05-08T20:56:39.299Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ghost:ghost:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "019CF5DA-91CB-485C-8C00-7E82585A682E", "versionEndExcluding": "5.46.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Ghost is an app for new-media creators with tools to build a website, publish content, send newsletters, and offer paid subscriptions to members. Prior to version 5.46.1, due to a lack of validation when filtering on the public API endpoints, it is possible to reveal private fields via a brute force attack.\n\nGhost(Pro) has already been patched. Maintainers can find no evidence that the issue was exploited on Ghost(Pro) prior to the patch being added. Self-hosters are impacted if running Ghost a version below v5.46.1. v5.46.1 contains a fix for this issue. As a workaround, add a block for requests to `/ghost/api/content/*` where the `filter` query parameter contains `password` or `email`."}], "id": "CVE-2023-31133", "lastModified": "2024-11-21T08:01:27.613", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-05-08T21:15:11.600", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/TryGhost/Ghost/commit/b3caf16005289cc9909488391b4a26f3f4a66a90"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/TryGhost/Ghost/releases/tag/v5.46.1"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/TryGhost/Ghost/security/advisories/GHSA-r97q-ghch-82j9"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/TryGhost/Ghost/commit/b3caf16005289cc9909488391b4a26f3f4a66a90"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes"], "url": "https://github.com/TryGhost/Ghost/releases/tag/v5.46.1"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://github.com/TryGhost/Ghost/security/advisories/GHSA-r97q-ghch-82j9"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "security-advisories@github.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}