SB2022101845 - Multiple vulnerabilities in Kirby
Published: October 18, 2022 Updated: April 23, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 4 vulnerabilities.
1) Information disclosure (CVE-ID: N/A)
CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to excessive data output by the application when handling login and password reset forms. A remote attacker can enumerate web application users.
2) Information disclosure (CVE-ID: N/A)
CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to time discrepancy in the brute force protection system. A remote attacker can enumerate web application users.
3) Observable Response Discrepancy (CVE-ID: CVE-2022-39314)
CWE-ID: CWE-204 - Observable Response Discrepancy
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to disclose sensitive information about registered users.
The vulnerability exists due to observable response discrepancy in the code-based login and password reset forms when processing authentication challenge requests. A remote attacker can submit email addresses and observe differing error behavior to disclose sensitive information about registered users.
This only affects installations using the code or password-reset authentication method, and exploitation is only possible if an error occurs during challenge creation or within the user.login:failed hook.
4) Observable Response Discrepancy (CVE-ID: CVE-2022-39315)
CWE-ID: CWE-204 - Observable Response Discrepancy
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to observable response discrepancy in brute force protection when handling login requests beyond the failed-attempt limit. A remote attacker can send crafted login requests from two or more IP addresses to disclose sensitive information.
This issue can be used to confirm whether specific users are registered, which makes it primarily relevant for targeted attacks. Sites are affected when user accounts are present and the API or Panel is enabled.
Remediation
Install update from vendor's website.
References
- https://github.com/getkirby/kirby/releases/tag/3.5.8.2
- https://github.com/getkirby/kirby/releases/tag/3.6.6.2
- https://github.com/getkirby/kirby/releases/tag/3.7.5.1
- https://github.com/getkirby/kirby/releases/tag/3.8.1
- https://github.com/getkirby/kirby/security/advisories/GHSA-43qq-qw4x-28f8
- https://github.com/getkirby/kirby/security/advisories/GHSA-c27j-76xg-6x4f
- https://github.com/advisories/GHSA-c27j-76xg-6x4f