Sulu: Used API Keys may be available via Admin API — GHSA-9M6V-8FXC-4R44

Summary

### Impact The users endpoint controller exposes a project's apiKey field to the logged-in user, provided they have permission for that endpoint. This only has impact if a project itself uses that specific field, Sulu itself does nothing with it and has no authentication per apiKey in its core. ### Patches A patch is released with Version 2.6.23 and 3.0.5. ### Workarounds Remove the field descriptor by patch the…

Product

composer: sulu/sulu

What to do

General, cautious steps (verify details in the official source):

• Review exposure and plan remediation based on risk and environment.
• Identify affected product versions in your inventory and verify whether you are impacted.
• Apply vendor patches/updates or recommended mitigations as soon as available.
• Read the official advisory for exact affected versions and remediation steps.

Official advisory

• Read the official source

Related advisories