Hasura GraphQL Engine before 2.15.2 mishandles row-level authorization in the Update Many API for Postgres backends. The fixed versions are 2.10.2, 2.11.3, 2.12.1, 2.13.2, 2.14.1, and 2.15.2. (Versions before 2.10.0 are unaffected.)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HHasura Graphql Engine
APPHasura2.12.02.14.02.10.0 – 2.10.2 (bez)2.11.0 – 2.11.3 (bez)2.13.0 – 2.13.2 (bez)2.15.0 – 2.15.2 (bez)
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
References
Related vulnerabilities
CVE-2021-47748CRITICAL9.3PL ✓ten sam produkt
RCE w Hasura GraphQL Engine przez COPY FROM PROGRAM
CVE-2021-47713HIGH8.7ten sam produkt
Hasura GraphQL 1.3.3 contains a denial of service vulnerability that allows attackers to overwhelm the service...
CVE-2023-27588HIGH7.5ten sam produkt
Hasura is an open-source product that provides users GraphQL or REST APIs. A path traversal vulnerability has ...
CVE-2019-1020015HIGH7.5ten sam produkt
graphql-engine (aka Hasura GraphQL Engine) before 1.0.0-beta.3 mishandles the audience check while verifying J...
CVE-2021-47714MEDIUM6.9ten sam produkt
Hasura GraphQL 1.3.3 contains a local file read vulnerability that allows attackers to access system files thr...