CVE-2022-46792 - OpenCVE

Hasura GraphQL Engine before 2.15.2 mishandles row-level authorization in the Update Many API for Postgres backends. The fixed versions are 2.10.2, 2.11.3, 2.12.1, 2.13.2, 2.14.1, and 2.15.2. (Versions before 2.10.0 are unaffected.)

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Hasura	Graphql Engine

Configuration 1 [-]

OR	cpe:2.3:a:hasura:graphql_engine::::::::
	cpe:2.3:a:hasura:graphql_engine::::::::
	cpe:2.3:a:hasura:graphql_engine::::::::
	cpe:2.3:a:hasura:graphql_engine::::::::
	cpe:2.3:a:hasura:graphql_engine:2.12.0:-::::::
	cpe:2.3:a:hasura:graphql_engine:2.12.0:beta1::::::
	cpe:2.3:a:hasura:graphql_engine:2.14.0:-::::::
	cpe:2.3:a:hasura:graphql_engine:2.14.0:beta1::::::
	cpe:2.3:a:hasura:graphql_engine:2.14.0:beta2::::::

References

Link	Resource
https://github.com/hasura/graphql-engine/security/advisories/GHSA-g7mj-g7f4-hgrg	Patch Third Party Advisory
https://groups.google.com/g/hasura-security-announce/c/kzK-uPAKGUU	Mailing List Patch Third Party Advisory
https://hasura.io/blog/critical-vulnerability-in-hasuras-graphql-engine-v2-10-0/	Mitigation Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2022-12-08T00:00:00

Updated: 2022-12-08T00:00:00

Reserved: 2022-12-08T00:00:00

Link: CVE-2022-46792

JSON object: View

NVD Information

Status : Analyzed

Published: 2022-12-08T06:15:08.940

Modified: 2023-08-08T14:22:24.967

Link: CVE-2022-46792

JSON object: View

Redhat Information

No data.

CWE

CWE-863

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:hasura:graphql_engine:*:*:*:*:*:*:*:*", "matchCriteriaId": "8B705C96-0584-4CC1-B9EF-B69C3F84E829", "versionEndExcluding": "2.10.2", "versionStartIncluding": "2.10.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:hasura:graphql_engine:*:*:*:*:*:*:*:*", "matchCriteriaId": "908BE462-E73A-4C41-9BBA-F64775943548", "versionEndExcluding": "2.11.3", "versionStartIncluding": "2.11.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:hasura:graphql_engine:*:*:*:*:*:*:*:*", "matchCriteriaId": "B6B35B16-2DC0-460D-823B-6A8204658A70", "versionEndExcluding": "2.13.2", "versionStartIncluding": "2.13.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:hasura:graphql_engine:*:*:*:*:*:*:*:*", "matchCriteriaId": "2D67188D-9C00-4D33-BD2C-141AB3FE8FD3", "versionEndExcluding": "2.15.2", "versionStartIncluding": "2.15.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:hasura:graphql_engine:2.12.0:-:*:*:*:*:*:*", "matchCriteriaId": "5610371D-1DAB-48E6-9701-A07D52806573", "vulnerable": true}, {"criteria": "cpe:2.3:a:hasura:graphql_engine:2.12.0:beta1:*:*:*:*:*:*", "matchCriteriaId": "73834859-46F0-455C-B285-7D93E8BE0C92", "vulnerable": true}, {"criteria": "cpe:2.3:a:hasura:graphql_engine:2.14.0:-:*:*:*:*:*:*", "matchCriteriaId": "E32B6C3F-3E7A-4574-AC8F-B1605AD0009D", "vulnerable": true}, {"criteria": "cpe:2.3:a:hasura:graphql_engine:2.14.0:beta1:*:*:*:*:*:*", "matchCriteriaId": "19839FF4-1613-4564-9DB6-E55DA364F73A", "vulnerable": true}, {"criteria": "cpe:2.3:a:hasura:graphql_engine:2.14.0:beta2:*:*:*:*:*:*", "matchCriteriaId": "62B619A6-3194-4982-A273-A461F7728619", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Hasura GraphQL Engine before 2.15.2 mishandles row-level authorization in the Update Many API for Postgres backends. The fixed versions are 2.10.2, 2.11.3, 2.12.1, 2.13.2, 2.14.1, and 2.15.2. (Versions before 2.10.0 are unaffected.)"}, {"lang": "es", "value": "Hasura GraphQL Engine anterior a 2.15.2 maneja mal la autorizaci\u00f3n a nivel de fila en Update Many API para backends de Postgres. Las versiones corregidas son 2.10.2, 2.11.3, 2.12.1, 2.13.2, 2.14.1 y 2.15.2. (Las versiones anteriores a la 2.10.0 no se ven afectadas)."}], "id": "CVE-2022-46792", "lastModified": "2023-08-08T14:22:24.967", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-12-08T06:15:08.940", "references": [{"source": "cve@mitre.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/hasura/graphql-engine/security/advisories/GHSA-g7mj-g7f4-hgrg"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Patch", "Third Party Advisory"], "url": "https://groups.google.com/g/hasura-security-announce/c/kzK-uPAKGUU"}, {"source": "cve@mitre.org", "tags": ["Mitigation", "Vendor Advisory"], "url": "https://hasura.io/blog/critical-vulnerability-in-hasuras-graphql-engine-v2-10-0/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "nvd@nist.gov", "type": "Primary"}]}