Row-Level Authorization Flaw in Hasura GraphQL Engine for Postgres Backends
CVE-2022-46792

8.8HIGH

Key Information:

Vendor

Hasura

Vendor
CVE Published:
8 December 2022

What is CVE-2022-46792?

The Hasura GraphQL Engine prior to version 2.15.2 exhibits a vulnerability that impacts row-level authorization specifically in the Update Many API when using Postgres backends. This flaw allows unauthorized access to data, potentially leading to data leakage or unauthorized data manipulation, depending on the implementation. Users are strongly advised to upgrade to the fixed versions, which are 2.10.2, 2.11.3, 2.12.1, 2.13.2, 2.14.1, or 2.15.2, to safeguard their applications against this risk.

References

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.