CVE-2022-46792

Hasura GraphQL Engine before 2.15.2 mishandles row-level authorization in the Update Many API for Postgres backends. The fixed versions are 2.10.2, 2.11.3, 2.12.1, 2.13.2, 2.14.1, and 2.15.2. (Versions before 2.10.0 are unaffected.)
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
8.8 HIGH
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
mitreCNA
---
---
CVEADP
---
---
CISA-ADPADP
8.8 HIGH
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 40%
VendorProductVersion
hasuragraphql_engine
2.10.0 ≤
𝑥
< 2.10.2
hasuragraphql_engine
2.11.0 ≤
𝑥
< 2.11.3
hasuragraphql_engine
2.13.0 ≤
𝑥
< 2.13.2
hasuragraphql_engine
2.15.0 ≤
𝑥
< 2.15.2
hasuragraphql_engine
2.12.0
hasuragraphql_engine
2.12.0:beta1
hasuragraphql_engine
2.14.0
hasuragraphql_engine
2.14.0:beta1
hasuragraphql_engine
2.14.0:beta2
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/hasura/graphql-engine/security/advisories/GHSA-g7mj-g7f4-hgrg
https://groups.google.com/g/hasura-security-announce/c/kzK-uPAKGUU
https://hasura.io/blog/critical-vulnerability-in-hasuras-graphql-engine-v2-10-0/
https://github.com/hasura/graphql-engine/security/advisories/GHSA-g7mj-g7f4-hgrg
https://groups.google.com/g/hasura-security-announce/c/kzK-uPAKGUU
https://hasura.io/blog/critical-vulnerability-in-hasuras-graphql-engine-v2-10-0/