Vulnerability from drupal
The GraphQL module enables you to build GraphQL APIs which can include data fetching through Queries and data updates (create, update, delete) through mutations.
The module does not sufficiently validate incoming requests that are made from domains other than the one serving the GraphQL endpoint. In case a user visits a malicious site, that site may make requests on the users behalf which can lead to the execution of mutations, exposing a CSRF vulnerability. Whether data is returned to the malicious site depends on your sites CORS configuration.
This vulnerability is mitigated by the fact that a user with access to the API must have an active session cookie while visiting a malicious site. This vulnerability is also mitigated by restricting session cookies with the SameSite attribute (see solution below).
{
"affected": [
{
"database_specific": {
"affected_versions": "\u003c3.4.0 || \u003e=4.0.0 \u003c4.6.0"
},
"package": {
"ecosystem": "Packagist:https://packages.drupal.org/8",
"name": "drupal/graphql"
},
"ranges": [
{
"database_specific": {
"constraint": "\u003c3.4.0"
},
"events": [
{
"introduced": "0"
},
{
"fixed": "3.4.0"
}
],
"type": "ECOSYSTEM"
},
{
"database_specific": {
"constraint": "\u003e=4.0.0 \u003c4.6.0"
},
"events": [
{
"introduced": "4.0.0"
},
{
"fixed": "4.6.0"
}
],
"type": "ECOSYSTEM"
}
],
"severity": []
}
],
"aliases": [],
"credits": [
{
"contact": [
"https://www.drupal.org/user/1485048"
],
"name": "Sam Becker"
}
],
"details": "The GraphQL module enables you to build GraphQL APIs which can include data fetching through Queries and data updates (create, update, delete) through mutations.\n\nThe module does not sufficiently validate incoming requests that are made from domains other than the one serving the GraphQL endpoint. In case a user visits a malicious site, that site may make requests on the users behalf which can lead to the execution of mutations, exposing a CSRF vulnerability. Whether data is returned to the malicious site depends on your sites CORS configuration.\n\nThis vulnerability is mitigated by the fact that a user with access to the API must have an active session cookie while visiting a malicious site. This vulnerability is also mitigated by restricting session cookies with the SameSite attribute (see solution below).",
"id": "DRUPAL-CONTRIB-2023-051",
"modified": "2023-11-08T17:10:24.000Z",
"published": "2023-11-08T15:33:12.000Z",
"references": [
{
"type": "WEB",
"url": "https://www.drupal.org/sa-contrib-2023-051"
}
],
"schema_version": "1.7.0"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.