SuiteCRM has Unauthenticated Graphql Introspection Enabled
CVE-2023-47643

3.1LOW

Key Information:

Vendor

Salesagility

Status
Suitecrm-core
Vendor
CVE Published:
21 November 2023

What is CVE-2023-47643?

SuiteCRM is a Customer Relationship Management (CRM) software application. Prior to version 8.4.2, Graphql Introspection is enabled without authentication, exposing the scheme defining all object types, arguments, and functions. An attacker can obtain the GraphQL schema and understand the entire attack surface of the API, including sensitive fields such as UserHash. This issue is patched in version 8.4.2. There are no known workarounds.

Affected Version(s)

SuiteCRM-Core < 8.4.2

References

https://github.com/salesagility/SuiteCRM-Core/security/ad...
x_refsource_CONFIRM
https://github.com/salesagility/SuiteCRM-Core/commit/117d...
x_refsource_MISC
https://www.apollographql.com/blog/graphql/security/why-y...
x_refsource_MISC

EPSS Score

7% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
3.1
Severity:
LOW
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.