CVE-2023-27588 : Security Advisory and Response
Unauthenticated path traversal flaw in Hasura GraphQL Engine before 1.3.4, 2.55.1, 2.20.1, and 2.21.0-beta1 allows unauthorized access. Learn mitigation steps.
This CVE involves an unauthenticated path traversal vulnerability in Hasura GraphQL Engine.
Understanding CVE-2023-27588
This vulnerability in Hasura GraphQL Engine poses a risk to systems utilizing versions prior to 1.3.4, 2.55.1, 2.20.1, and 2.21.0-beta1.
What is CVE-2023-27588?
Hasura GraphQL Engine, an open-source tool for providing GraphQL or REST APIs, contains a path traversal vulnerability that allows unauthorized access to directories outside the intended location. This vulnerability affects versions of Hasura GraphQL Engine before 1.3.4, 2.55.1, 2.20.1, and 2.21.0-beta1.
The Impact of CVE-2023-27588
The vulnerability can be exploited by attackers to gain unauthorized access to sensitive files and data stored on the affected systems. It poses a high risk to the confidentiality of the data as it allows for potential leakage of sensitive information.
Technical Details of CVE-2023-27588
This section provides specific technical details about the vulnerability.
Vulnerability Description
The vulnerability involves an unauthenticated path traversal issue in Hasura GraphQL Engine, enabling attackers to navigate to restricted directories and access unauthorized files.
Affected Systems and Versions
- Hasura GraphQL Engine versions prior to 1.3.4
- Hasura GraphQL Engine versions >= 2.0.0, < 2.11.5
- Hasura GraphQL Engine versions >= 2.2.0, < 2.20.1
Exploitation Mechanism
The vulnerability can be exploited by crafting malicious requests that traverse directory structures to access files located outside the intended directories.
Mitigation and Prevention
It is crucial for organizations using Hasura GraphQL Engine to take immediate steps to address and prevent exploitation of this vulnerability.
Immediate Steps to Take
- Upgrade affected systems to Hasura GraphQL Engine versions 1.3.4, 2.55.1, 2.20.1, or 2.21.0-beta1 to apply the necessary patch.
- Implement robust access controls and authentication mechanisms to restrict unauthorized access to sensitive files and directories.
Long-Term Security Practices
- Regularly update and patch software to mitigate known vulnerabilities.
- Conduct security assessments and penetration testing to identify and address weaknesses in the system.
Patching and Updates
- Hasura has released patches for the affected versions. Organizations should promptly apply these patches to secure their systems against this vulnerability.