CVE-2022-46792

EUVD-2022-49574
Hasura GraphQL Engine before 2.15.2 mishandles row-level authorization in the Update Many API for Postgres backends. The fixed versions are 2.10.2, 2.11.3, 2.12.1, 2.13.2, 2.14.1, and 2.15.2. (Versions before 2.10.0 are unaffected.)
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
8.8 HIGH
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CISA-ADPADP
8.8 HIGH
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 67%
Affected Products (NVD)
VendorProductVersion
hasuragraphql_engine
2.10.0 ≤
𝑥
< 2.10.2
hasuragraphql_engine
2.11.0 ≤
𝑥
< 2.11.3
hasuragraphql_engine
2.13.0 ≤
𝑥
< 2.13.2
hasuragraphql_engine
2.15.0 ≤
𝑥
< 2.15.2
hasuragraphql_engine
2.12.0
hasuragraphql_engine
2.12.0:beta1
hasuragraphql_engine
2.14.0
hasuragraphql_engine
2.14.0:beta1
hasuragraphql_engine
2.14.0:beta2
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/hasura/graphql-engine/security/advisories/GHSA-g7mj-g7f4-hgrg
https://groups.google.com/g/hasura-security-announce/c/kzK-uPAKGUU
https://hasura.io/blog/critical-vulnerability-in-hasuras-graphql-engine-v2-10-0/
https://github.com/hasura/graphql-engine/security/advisories/GHSA-g7mj-g7f4-hgrg
https://groups.google.com/g/hasura-security-announce/c/kzK-uPAKGUU
https://hasura.io/blog/critical-vulnerability-in-hasuras-graphql-engine-v2-10-0/