Skip to content

Unauthenticated path traversal vulnerability in Hasura GraphQL Engine

Critical
timothy-hasura published GHSA-c9rw-rw2f-mj4x Mar 13, 2023

Package

graphql-engine (Haskell)

Affected versions

Up to 2.20.0

Patched versions

v2.11.5, v2.20.1, v2.21.0-beta.1, v1.3.4

Description

Security Notification
A Path Traversal security vulnerability has been recently discovered within the GraphQL Engine.

What we have done

We have patched versions 1.3, 2.11, 2.20, and 2.21-beta.

  • v2.11.5
  • v2.20.1
  • v2.21.0-beta.1
  • v1.3.4

What action do I need to take?
Hasura Cloud Projects: Projects running on Hasura Cloud were not vulnerable. No further action is needed unless you also self-host Hasura (see below).
Self-hosted Hasura Projects (Community Edition or Enterprise Edition): If your deployment is publicly exposed and not protected by a WAF or other HTTP protection layer, you may unset HASURA_GRAPHQL_CONSOLE_ASSETS_DIR, disable console for versions prior to 2.17.0, or update immediately to one of the fixed versions.

Details
Hasura Console is vulnerable to a Critical Path Enumeration vulnerability when configured to use Custom Assets. If your deployment sets HASURA_GRAPHQL_CONSOLE_ASSETS_DIR, then you may be vulnerable, as this leverages Haskell file capabilities which are vulnerable to enumeration. In order to be vulnerable, the following must be true:

  1. You must set HASURA_GRAPHQL_CONSOLE_ASSETS_DIR
  2. You have not disabled the console or are using version 2.17.0 or later
  3. Your system, is exposed to untrusted systems or users
  4. Your system does not have protections provided by a WAF, IPS, or webserver configuration that would block path traversal

It has been determined that this attack can be leveraged to recover the admin secret for the console and API.

If you have any questions or concerns, please do reach out to us at [email protected].

Thank you,
The Hasura Cloud Team

Severity

Critical

CVE ID

CVE-2023-27588

Weaknesses

Credits