Unauthenticated path traversal vulnerability in Hasura GraphQL Engine
CVE-2023-27588

7.5HIGH

Key Information:

Vendor

Hasura

Vendor
CVE Published:
14 March 2023

What is CVE-2023-27588?

A path traversal vulnerability has been identified in Hasura GraphQL Engine versions earlier than 1.3.4, 2.55.1, 2.20.1, and 2.21.0-beta1. This vulnerability allows an attacker to access files outside of the intended directory structure, posing significant risks to the integrity of the application. While projects hosted on Hasura Cloud are unaffected, those that are self-hosted and publicly exposed, lacking a web application firewall (WAF) or similar HTTP protections, must be upgraded to the patched versions to ensure security and safeguard against potential exploits.

Affected Version(s)

graphql-engine < 1.3.4 < 1.3.4

graphql-engine >= 2.0.0, < 2.11.5 < 2.0.0, 2.11.5

graphql-engine >= 2.2.0, < 2.20.1 < 2.2.0, 2.20.1

References

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.