Lucene search

[email protected]NVD:CVE-2022-46792

HistoryDec 08, 2022 - 6:15 a.m.

CVE-2022-46792

2022-12-0806:15:08

CWE-863

[email protected]

web.nvd.nist.gov

hasura graphql engine

update many api

vulnerability fix

versions 2.10.2

2.11.3

2.12.1

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

0.001 Low

EPSS

Percentile

47.3%

JSON

Hasura GraphQL Engine before 2.15.2 mishandles row-level authorization in the Update Many API for Postgres backends. The fixed versions are 2.10.2, 2.11.3, 2.12.1, 2.13.2, 2.14.1, and 2.15.2. (Versions before 2.10.0 are unaffected.)

Affected configurations

NVD

Node

hasuragraphql_engineRange2.10.0–2.10.2

hasuragraphql_engineRange2.11.0–2.11.3

hasuragraphql_engineRange2.13.0–2.13.2

hasuragraphql_engineRange2.15.0–2.15.2

hasuragraphql_engineMatch2.12.0-

hasuragraphql_engineMatch2.12.0beta1

hasuragraphql_engineMatch2.14.0-

hasuragraphql_engineMatch2.14.0beta1

hasuragraphql_engineMatch2.14.0beta2

References

github.com/hasura/graphql-engine/security/advisories/GHSA-g7mj-g7f4-hgrg

groups.google.com/g/hasura-security-announce/c/kzK-uPAKGUU

hasura.io/blog/critical-vulnerability-in-hasuras-graphql-engine-v2-10-0/

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

0.001 Low

EPSS

Percentile

47.3%

JSON

Related for NVD:CVE-2022-46792

cvelist1 cve1 osv1 prion1 wallarmlab1