CVE Vulnerability

CVE-2022-46792

Hasura GraphQL Engine before 2.15.2 mishandles row-level authorization in the Update Many API for Postgres backends. The fixed versions are 2.10.2, 2.11.3, 2.12.1, 2.13.2, 2.14.1, and 2.15.2. (Versions before 2.10.0 are unaffected.)

8.8 /10

CVSS v3.0 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://hasura.io/blog/critical-vulnerability-in-hasuras-graphql-engine-v2-10-0/ Mitigation Vendor Advisory
https://groups.google.com/g/hasura-security-announce/c/kzK-uPAKGUU Mailing List Patch
https://github.com/hasura/graphql-engine/security/advisories/GHSA-g7mj-g7f4-hgrg Patch Third Party Advisory
Configurations

Configuration 1

cpe:2.3:a:hasura:graphql_engine:*:*:*:*:*:*:*:*
cpe:2.3:a:hasura:graphql_engine:2.14.0:-:*:*:*:*:*:*
cpe:2.3:a:hasura:graphql_engine:2.14.0:beta1:*:*:*:*:*:*
cpe:2.3:a:hasura:graphql_engine:2.14.0:beta2:*:*:*:*:*:*
cpe:2.3:a:hasura:graphql_engine:*:*:*:*:*:*:*:*
cpe:2.3:a:hasura:graphql_engine:2.12.0:beta1:*:*:*:*:*:*
cpe:2.3:a:hasura:graphql_engine:2.12.0:-:*:*:*:*:*:*
cpe:2.3:a:hasura:graphql_engine:*:*:*:*:*:*:*:*
cpe:2.3:a:hasura:graphql_engine:*:*:*:*:*:*:*:*
Information

Published : 2022-12-08 06:15

Updated : 2022-12-10 03:10

NVD link : CVE-2022-46792

Mitre link : CVE-2022-46792

Products Affected
No products.
CWE
CWE-732