CVE-2022-46792

Hasura GraphQL Engine before 2.15.2 mishandles row-level authorization in the Update Many API for Postgres backends. The fixed versions are 2.10.2, 2.11.3, 2.12.1, 2.13.2, 2.14.1, and 2.15.2. (Versions before 2.10.0 are unaffected.)

CVSS v3 8.8 HIGH

8.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/hasura/graphql-engine/security/advisories/GHSA-g7mj-g7f4-hgrg	Patch Third Party Advisory
https://groups.google.com/g/hasura-security-announce/c/kzK-uPAKGUU	Mailing List Patch Third Party Advisory
https://hasura.io/blog/critical-vulnerability-in-hasuras-graphql-engine-v2-10-0/	Mitigation Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:hasura:graphql_engine::::::::
	cpe:2.3:a:hasura:graphql_engine::::::::
	cpe:2.3:a:hasura:graphql_engine::::::::
	cpe:2.3:a:hasura:graphql_engine::::::::
	cpe:2.3:a:hasura:graphql_engine:2.12.0:-::::::
	cpe:2.3:a:hasura:graphql_engine:2.12.0:beta1::::::
	cpe:2.3:a:hasura:graphql_engine:2.14.0:-::::::
	cpe:2.3:a:hasura:graphql_engine:2.14.0:beta1::::::
	cpe:2.3:a:hasura:graphql_engine:2.14.0:beta2::::::

History

No history.

Information

Published : 2022-12-08 06:15

Updated : 2023-08-08 14:22

NVD link : CVE-2022-46792

Mitre link : CVE-2022-46792

CVE.ORG link : CVE-2022-46792

JSON object : View

Products Affected

hasura

graphql_engine

CWE

CWE-863

Incorrect Authorization

{"id": "CVE-2022-46792", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2022-12-08T06:15:08.940", "references": [{"url": "https://github.com/hasura/graphql-engine/security/advisories/GHSA-g7mj-g7f4-hgrg", "tags": ["Patch", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://groups.google.com/g/hasura-security-announce/c/kzK-uPAKGUU", "tags": ["Mailing List", "Patch", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://hasura.io/blog/critical-vulnerability-in-hasuras-graphql-engine-v2-10-0/", "tags": ["Mitigation", "Vendor Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-863"}]}], "descriptions": [{"lang": "en", "value": "Hasura GraphQL Engine before 2.15.2 mishandles row-level authorization in the Update Many API for Postgres backends. The fixed versions are 2.10.2, 2.11.3, 2.12.1, 2.13.2, 2.14.1, and 2.15.2. (Versions before 2.10.0 are unaffected.)"}, {"lang": "es", "value": "Hasura GraphQL Engine anterior a 2.15.2 maneja mal la autorizaci\u00f3n a nivel de fila en Update Many API para backends de Postgres. Las versiones corregidas son 2.10.2, 2.11.3, 2.12.1, 2.13.2, 2.14.1 y 2.15.2. (Las versiones anteriores a la 2.10.0 no se ven afectadas)."}], "lastModified": "2023-08-08T14:22:24.967", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:hasura:graphql_engine:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8B705C96-0584-4CC1-B9EF-B69C3F84E829", "versionEndExcluding": "2.10.2", "versionStartIncluding": "2.10.0"}, {"criteria": "cpe:2.3:a:hasura:graphql_engine:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "908BE462-E73A-4C41-9BBA-F64775943548", "versionEndExcluding": "2.11.3", "versionStartIncluding": "2.11.0"}, {"criteria": "cpe:2.3:a:hasura:graphql_engine:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B6B35B16-2DC0-460D-823B-6A8204658A70", "versionEndExcluding": "2.13.2", "versionStartIncluding": "2.13.0"}, {"criteria": "cpe:2.3:a:hasura:graphql_engine:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2D67188D-9C00-4D33-BD2C-141AB3FE8FD3", "versionEndExcluding": "2.15.2", "versionStartIncluding": "2.15.0"}, {"criteria": "cpe:2.3:a:hasura:graphql_engine:2.12.0:-:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5610371D-1DAB-48E6-9701-A07D52806573"}, {"criteria": "cpe:2.3:a:hasura:graphql_engine:2.12.0:beta1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "73834859-46F0-455C-B285-7D93E8BE0C92"}, {"criteria": "cpe:2.3:a:hasura:graphql_engine:2.14.0:-:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E32B6C3F-3E7A-4574-AC8F-B1605AD0009D"}, {"criteria": "cpe:2.3:a:hasura:graphql_engine:2.14.0:beta1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "19839FF4-1613-4564-9DB6-E55DA364F73A"}, {"criteria": "cpe:2.3:a:hasura:graphql_engine:2.14.0:beta2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "62B619A6-3194-4982-A273-A461F7728619"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}