Moderate severityNVD Advisory· Published Jun 14, 2022· Updated Apr 23, 2025

Insertion of Sensitive Information into Log File in typo3/cms-core

CVE-2022-31047

Description

TYPO3 is an open source web content management system. Prior to versions 7.6.57 ELTS, 8.7.47 ELTS, 9.5.34 ELTS, 10.4.29, and 11.5.11, system internal credentials or keys (e.g. database credentials) can be logged as plaintext in exception handlers, when logging the complete exception stack trace. TYPO3 versions 7.6.57 ELTS, 8.7.47 ELTS, 9.5.34 ELTS, 10.4.29, 11.5.11 contain a fix for the problem.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

TYPO3 prior to multiple versions logs internal credentials as plaintext in exception handlers, leading to information disclosure.

The vulnerability in TYPO3, a content management system, allows system internal credentials or keys (e.g., database credentials) to be logged as plaintext in exception handlers when the complete exception stack trace is recorded. This occurs because the exception object, which may contain sensitive data, is passed directly to the logging system without filtering [1][3].

An attacker can exploit this flaw by triggering an exception that causes the stack trace to be logged. This does not require authentication if any user-facing action can result in an unhandled exception. The attacker would then need access to the TYPO3 log files where the stack traces are stored [1].

Successful exploitation could expose sensitive credentials such as database passwords or encryption keys, potentially leading to full compromise of the TYPO3 installation and associated data [3].

TYPO3 has released fixes in versions 7.6.57 ELTS, 8.7.47 ELTS, 9.5.34 ELTS, 10.4.29, and 11.5.11. The patch adds a configuration flag logExceptionStackTrace which defaults to false in the production exception handler and true in the debug handler, preventing sensitive data from being logged in production environments [4].

References

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
typo3/cms-corePackagist	>= 7.0.0, < 7.6.57	7.6.57
typo3/cms-corePackagist	>= 8.0.0, < 8.7.47	8.7.47
typo3/cms-corePackagist	>= 9.0.0, < 9.5.35	9.5.35
typo3/cms-corePackagist	>= 10.0.0, < 10.4.29	10.4.29
typo3/cms-corePackagist	>= 11.0.0, < 11.5.11	11.5.11
typo3/cmsPackagist	>= 10.0.0, < 10.4.29	10.4.29
typo3/cmsPackagist	>= 11.0.0, < 11.5.11	11.5.11

Affected products

osv-coords3 versions
pkg:bitnami/typo3 pkg:composer/typo3/cms pkg:composer/typo3/cms-core
>= 7.0.0, < 7.6.57+ 2 more
- (no CPE)range: >= 7.0.0, < 7.6.57
- (no CPE)range: >= 10.0.0, < 10.4.29
- (no CPE)range: >= 7.0.0, < 7.6.57
TYPO3/Typo3v5
Range: >= 7.0.0, < 7.6.57

Patches

c93ea692e7df

[SECURITY] Do not log stacktrace in exception handlers

https://github.com/TYPO3/typo3Torben HansenJun 14, 2022via ghsa

commit

2 files changed · +5 −1

typo3/sysext/core/Classes/Error/AbstractExceptionHandler.php+3 −1 modified

@@ -40,6 +40,8 @@ abstract class AbstractExceptionHandler implements ExceptionHandlerInterface, Si
     const CONTEXT_WEB = 'WEB';
     const CONTEXT_CLI = 'CLI';
 
+    protected bool $logExceptionStackTrace = false;
+
     private const IGNORED_EXCEPTION_CODES = [
         1396795884, // Current host header value does not match the configured trusted hosts pattern
         1581862822, // Failed HMAC validation due to modified __trustedProperties in extbase property mapping
@@ -98,7 +100,7 @@ protected function writeLogEntries(\Throwable $exception, string $mode): void
                     'line' => $exception->getLine(),
                     'message' => $exception->getMessage(),
                     'request_url' => $requestUrl,
-                    'exception' => $exception,
+                    'exception' => $this->logExceptionStackTrace ? $exception : null,
                 ]);
             }
         } catch (\Exception $exception) {

typo3/sysext/core/Classes/Error/DebugExceptionHandler.php+2 −0 modified

@@ -26,6 +26,8 @@
  */
 class DebugExceptionHandler extends AbstractExceptionHandler
 {
+    protected bool $logExceptionStackTrace = true;
+
     /**
      * Constructs this exception handler - registers itself as the default exception handler.
      */

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-fh99-4pgr-8j99ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2022-31047ghsaADVISORY
github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2022-31047.yamlghsaWEB
github.com/TYPO3/typo3/commit/c93ea692e7dfef03b7c50fe5437487545bee4d6aghsax_refsource_MISCWEB
github.com/TYPO3/typo3/security/advisories/GHSA-fh99-4pgr-8j99ghsax_refsource_CONFIRMWEB
typo3.org/security/advisory/typo3-core-sa-2022-002ghsax_refsource_MISCWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000