CVE-2022-31047: 
PHP vulnerability analysis and mitigation

CVE-2022-31047 affects TYPO3, an open source web content management system. The vulnerability was discovered in versions prior to 7.6.57 ELTS, 8.7.47 ELTS, 9.5.34 ELTS, 10.4.29, and 11.5.11, where system internal credentials or keys (such as database credentials) could be exposed through plaintext logging in exception handlers when logging the complete exception stack trace (TYPO3 Advisory, GitHub Advisory).

The vulnerability occurs in the exception handling system where the full stack trace containing sensitive information was being logged by default. The issue specifically affects the AbstractExceptionHandler class, where exception objects containing potentially sensitive data were being passed directly to logging functions. The vulnerability has been assigned a CVSS v3.1 base score of 4.9, with attack vector being Network, attack complexity High, requiring Low privileges, and no user interaction needed (GitHub Advisory).

The vulnerability could lead to the disclosure of sensitive system information, particularly internal credentials and keys such as database credentials, through log files. This information disclosure could potentially be used by attackers to gain unauthorized access to system resources (TYPO3 Advisory).

The vulnerability has been fixed in TYPO3 versions 7.6.57 ELTS, 8.7.47 ELTS, 9.5.35 ELTS, 10.4.29, and 11.5.11. The fix involves modifying the exception handling behavior to prevent logging of the full stack trace by default, except in the DebugExceptionHandler. Users are advised to upgrade to these patched versions (TYPO3 Advisory, GitHub Commit).