API Platform version from 2.2.0 to 2.3.5 contains an Incorrect Access Control vulnerability in GraphQL delete mutations that can result in a user authorized to delete a resource can delete any resource. This attack appears to be exploitable via the user must be authorized. This vulnerability appears to have been fixed in 2.3.6.
References
Link | Resource |
---|---|
https://github.com/api-platform/core/issues/2364 | Issue Tracking Third Party Advisory |
https://github.com/api-platform/core/pull/2441 | Issue Tracking Third Party Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: mitre
Published: 2019-02-04T21:00:00
Updated: 2019-02-04T20:57:01
Reserved: 2019-01-15T00:00:00
Link: CVE-2019-1000011
JSON object: View
NVD Information
Status : Analyzed
Published: 2019-02-04T21:29:01.050
Modified: 2020-08-24T17:37:01.140
Link: CVE-2019-1000011
JSON object: View
Redhat Information
No data.
CWE