CVE-2023-27588
Summary
| CVE | CVE-2023-27588 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2023-03-14 18:15:00 UTC |
| Updated | 2023-03-21 13:43:00 UTC |
| Description | Hasura is an open-source product that provides users GraphQL or REST APIs. A path traversal vulnerability has been discovered within Hasura GraphQL Engine prior to versions 1.3.4, 2.55.1, 2.20.1, and 2.21.0-beta1. Projects running on Hasura Cloud were not vulnerable. Self-hosted Hasura Projects with deployments that are publicly exposed and not protected by a WAF or other HTTP protection layer should be upgraded to version 1.3.4, 2.55.1, 2.20.1, or 2.21.0-beta1 to receive a patch. |
Risk And Classification
Problem Types: CWE-22
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Hasura | Graphql Engine | All | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Release v1.3.4 · hasura/graphql-engine · GitHub | MISC | github.com | |
| console: fix event triggers headers and import OAS modify button redi… · hasura/graphql-engine@dda5454 · GitHub | MISC | github.com | |
| Release v2.11.5 · hasura/graphql-engine · GitHub | MISC | github.com | |
| Unauthenticated path traversal vulnerability in Hasura GraphQL Engine · Advisory · hasura/graphql-engine · GitHub | MISC | github.com | |
| Release v2.20.1 · hasura/graphql-engine · GitHub | MISC | github.com | |
| Release v2.21.0-beta.1 · hasura/graphql-engine · GitHub | MISC | github.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.