CVE-2022-24798: 
Python vulnerability analysis and mitigation

Internet Routing Registry daemon version 4 (IRRd) is an IRR database server that processes IRR objects in the RPSL format. A vulnerability was discovered where IRRd did not properly filter password hashes in query responses relating to mntner objects and database exports. This vulnerability was identified as CVE-2022-24798 and was disclosed on March 31, 2022. The issue affects IRRd versions 4.2.0 through 4.2.2, with version 4.2.3 containing the fix (GitHub Advisory).

The vulnerability stems from insufficient password hash filtering in several scenarios: 1) For mntner objects where password hash names (MD5-PW and CRYPT-PW) were in lower or mixed case in the auth attribute, 2) GraphQL queries accessing the auth field on mntner objects, and 3) GraphQL queries accessing the objectText field on the journal field on mntner objects when nrtm_access_list setting permitted journal access. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, indicating network accessibility with no required privileges or user interaction (GitHub Advisory).

The vulnerability could allow adversaries to retrieve password hashes, which could then be used in brute-force attacks to discover the clear-text passphrase. If successful, attackers could make unauthorized changes to affected IRR objects. The issue only impacts instances that process password hashes, specifically IRRd instances serving authoritative databases. IRRd instances operating solely as mirrors of other IRR databases are not affected (GitHub Advisory).

The vulnerability has been fixed in IRRd version 4.2.3 and the main branch. Users of the 4.2.x series are strongly recommended to upgrade to version 4.2.3 or later. Versions in the 4.1.x series were never affected by this vulnerability. While manual patching is possible for 4.2.x or main branch versions, it is not recommended (GitHub Advisory).