Unauthenticated path traversal vulnerability in Hasura GraphQL Engine
CVE-2023-27588
7.5HIGH
What is CVE-2023-27588?
A path traversal vulnerability has been identified in Hasura GraphQL Engine versions earlier than 1.3.4, 2.55.1, 2.20.1, and 2.21.0-beta1. This vulnerability allows an attacker to access files outside of the intended directory structure, posing significant risks to the integrity of the application. While projects hosted on Hasura Cloud are unaffected, those that are self-hosted and publicly exposed, lacking a web application firewall (WAF) or similar HTTP protections, must be upgraded to the patched versions to ensure security and safeguard against potential exploits.
Affected Version(s)
graphql-engine < 1.3.4 < 1.3.4
graphql-engine >= 2.0.0, < 2.11.5 < 2.0.0, 2.11.5
graphql-engine >= 2.2.0, < 2.20.1 < 2.2.0, 2.20.1
