CVE-2023-44401Incorrect Authorization in Graphql

CWE-863Incorrect Authorization3 documents3 sources
Severity
5.3MEDIUMCNA
No vector
EPSS
0.2%
top 59.52%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Silverstripe GraphqlSilverstripe Silverstripe-graphql
Timeline
PublishedJan 23

Description

Silverstripe GraqhQL's view permissions are bypassed for paginated lists of ORM data The Silverstripe CMS GraphQL Server serves Silverstripe data as GraphQL representations. In versions 4.0.0 prior to 4.3.7 and 5.0.0 prior to 5.1.3, `canView` permission checks are bypassed for ORM data in paginated GraphQL query results where the total number of records is greater than the number of records per page. Note that this also affects GraphQL queries which have a limit applied, even if the query isn’t

Affected Packages2 packages

Packagistsilverstripe/graphql4.0.04.3.7+1
CVEListV5silverstripe/silverstripe-graphql>= 4.0.0, < 4.3.7, >= 5.0.0, < 5.1.3+1

🔴Vulnerability Details

3
OSV
View permissions are bypassed for paginated lists of ORM data2024-01-23
GHSA
View permissions are bypassed for paginated lists of ORM data2024-01-23
CVEList
Silverstripe GraqhQL's view permissions are bypassed for paginated lists of ORM data2024-01-23
CVE-2023-44401 — Incorrect Authorization in Graphql | cvebase