CVE-2020-26136
published 2021-06-08CVE-2020-26136: In SilverStripe through 4.6.0-rc1, GraphQL doesn't honour MFA (multi-factor authentication) when using basic authentication.
PriorityP339medium6.5CVSS 3.1
AVNACLPRLUINSUCNIHAN
EPSS
1.16%
63.1th percentile
In SilverStripe through 4.6.0-rc1, GraphQL doesn't honour MFA (multi-factor authentication) when using basic authentication.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| silverstripe | graphql | >= 3.0.0 < 3.5.0 | 3.5.0 |
| silverstripe | graphql | >= 4.0.0-alpha1 < 4.0.0-alpha2 | 4.0.0-alpha2 |
| silverstripe | silverstripe | < 4.6.0 | 4.6.0 |
| silverstripe | silverstripe | — | — |
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
nvdv2.04.0MEDIUMAV:N/AC:L/Au:S/C:N/I:P/A:N
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Authentication bypass in SilverStripe GraphQL
osv·2021-06-10
CVE-2020-26136 [MEDIUM] Authentication bypass in SilverStripe GraphQL
Authentication bypass in SilverStripe GraphQL
The GraphQL module accepts basic-auth as an authentication method by default. This can be used to bypass MFA authentication if the silverstripe/mfa module is installed, which is now a commonly installed module. A users password is still required though.
Basic-auth has been removed as a default authentication method. If desired, it can be re-enabled by adding it to the authenticators key of a schema, or on SilverStripe\Graphql\Auth\Handler
GHSA
Authentication bypass in SilverStripe GraphQL
ghsa·2021-06-10
CVE-2020-26136 [MEDIUM] CWE-287 Authentication bypass in SilverStripe GraphQL
Authentication bypass in SilverStripe GraphQL
The GraphQL module accepts basic-auth as an authentication method by default. This can be used to bypass MFA authentication if the silverstripe/mfa module is installed, which is now a commonly installed module. A users password is still required though.
Basic-auth has been removed as a default authentication method. If desired, it can be re-enabled by adding it to the authenticators key of a schema, or on SilverStripe\Graphql\Auth\Handler
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://forum.silverstripe.org/c/releaseshttps://www.silverstripe.org/blog/tag/releasehttps://www.silverstripe.org/download/security-releases/https://www.silverstripe.org/download/security-releases/cve-2020-26136https://forum.silverstripe.org/c/releaseshttps://www.silverstripe.org/blog/tag/releasehttps://www.silverstripe.org/download/security-releases/https://www.silverstripe.org/download/security-releases/cve-2020-26136
2021-06-08
Published