CVE-2023-27588

Unauthenticated path traversal vulnerability in Hasura GraphQL Engine

Description

Hasura is an open-source product that provides users GraphQL or REST APIs. A path traversal vulnerability has been discovered within Hasura GraphQL Engine prior to versions 1.3.4, 2.55.1, 2.20.1, and 2.21.0-beta1. Projects running on Hasura Cloud were not vulnerable. Self-hosted Hasura Projects with deployments that are publicly exposed and not protected by a WAF or other HTTP protection layer should be upgraded to version 1.3.4, 2.55.1, 2.20.1, or 2.21.0-beta1 to receive a patch.

References

Link	Tags
https://github.com/hasura/graphql-engine/security/advisories/GHSA-c9rw-rw2f-mj4x	vendor advisory
https://github.com/hasura/graphql-engine/commit/dda54543ee1ecf647ca5d0971b140c3a7b9f4158	patch
https://github.com/hasura/graphql-engine/releases/tag/v1.3.4	release notes
https://github.com/hasura/graphql-engine/releases/tag/v2.11.5	release notes
https://github.com/hasura/graphql-engine/releases/tag/v2.20.1	release notes
https://github.com/hasura/graphql-engine/releases/tag/v2.21.0-beta.1	release notes

Frequently Asked Questions

What is the severity of CVE-2023-27588?: CVE-2023-27588 has been scored as a high severity vulnerability.
How to fix CVE-2023-27588?: To fix CVE-2023-27588, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2023-27588 being actively exploited in the wild?: As for now, there are no information to confirm that CVE-2023-27588 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2023-27588?: CVE-2023-27588 affects hasura graphql-engine.

Description

Category

CWE-22 – Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

References

Frequently Asked Questions