Vulnerability from drupal
Published
2023-11-08 15:30
Modified
2023-11-08 17:10
Summary
Details

This module lets you craft and expose a GraphQL schema for Drupal 9 and 10.

The module currently does not adequately verify whether a given user has the necessary permissions to access an entity's label creating an access bypass vulnerability.

This vulnerability is mitigated by the fact that entity view and entity label access are usually handled by the same access check; developers have to opt-in for supporting different logic on entity types. Additionally your schema must make use of the EntityLabel DataProducer to be affected.

Credits
Dezső Biczó www.drupal.org/user/315522
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "affected_versions": "\u003c3.4.0 || \u003e=4.0.0 \u003c4.6.0"
      },
      "package": {
        "ecosystem": "Packagist:https://packages.drupal.org/8",
        "name": "drupal/graphql"
      },
      "ranges": [
        {
          "database_specific": {
            "constraint": "\u003c3.4.0"
          },
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.4.0"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "database_specific": {
            "constraint": "\u003e=4.0.0 \u003c4.6.0"
          },
          "events": [
            {
              "introduced": "4.0.0"
            },
            {
              "fixed": "4.6.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "severity": []
    }
  ],
  "aliases": [],
  "credits": [
    {
      "contact": [
        "https://www.drupal.org/user/315522"
      ],
      "name": "Dezs\u0151 Bicz\u00f3"
    }
  ],
  "details": "This module lets you craft and expose a GraphQL schema for Drupal 9 and 10.\n\nThe module currently does not adequately verify whether a given user has the necessary permissions to access an entity\u0027s label creating an access bypass vulnerability.\n\nThis vulnerability is mitigated by the fact that entity view and entity label access are usually handled by the same access check; developers have to opt-in for supporting different logic on entity types. Additionally your schema must make use of the EntityLabel DataProducer to be affected.",
  "id": "DRUPAL-CONTRIB-2023-050",
  "modified": "2023-11-08T17:10:18.000Z",
  "published": "2023-11-08T15:30:45.000Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://www.drupal.org/sa-contrib-2023-050"
    }
  ],
  "schema_version": "1.7.0"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.