SuiteCRM has Unauthenticated Graphql Introspection Enabled
CVE-2023-47643

3.1LOW

Key Information:

Vendor
Salesagility
Status
Suitecrm-core
Vendor
CVE Published:
21 November 2023

Summary

SuiteCRM is a Customer Relationship Management (CRM) software application. Prior to version 8.4.2, Graphql Introspection is enabled without authentication, exposing the scheme defining all object types, arguments, and functions. An attacker can obtain the GraphQL schema and understand the entire attack surface of the API, including sensitive fields such as UserHash. This issue is patched in version 8.4.2. There are no known workarounds.

Affected Version(s)

SuiteCRM-Core < 8.4.2

References

https://github.com/salesagility/SuiteCRM-Core/security/ad...
x_refsource_CONFIRM
https://github.com/salesagility/SuiteCRM-Core/commit/117d...
x_refsource_MISC
https://www.apollographql.com/blog/graphql/security/why-y...
x_refsource_MISC

EPSS Score

49% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
3.1
Severity:
LOW
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2023-47643 : SuiteCRM has Unauthenticated Graphql Introspection Enabled | SecurityVulnerability.io