=====================================================================

                             CERT-Renater

                 Note d'Information No. 2021/VULN484
_____________________________________________________________________

DATE                : 16/09/2021

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running GraphQL for Drupal versions 8.x-4.x
                                     prior to 8.x-4.2.

=====================================================================
https://www.drupal.org/sa-contrib-2021-029
_____________________________________________________________________


GraphQL - Moderately critical - Access bypass - SA-CONTRIB-2021-029


Project:         GraphQL
Date:            2021-September-15
Security risk:
Moderately critical 13∕25
AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default
Vulnerability:   Access bypass
CVE IDs:         CVE-2020-13675


Description:

This advisory addresses a similar issue to Drupal core - Moderately
critical - Access bypass - SA-CORE-2021-008.

The GraphQL module allows file uploads through its HTTP API. The module
does not correctly run all file validation, which causes an access
bypass vulnerability. An attacker might be able to upload files that
bypass the file validation process implemented by modules on the site.

This vulnerability is mitigated by four factors:

    The GraphQL module must be enabled on the site.
    The GraphQL schema must expose a file upload by using the helper
"src/GraphQL/Utility/FileUpload.php" in the module.
    An attacker must have access to that file upload via the GraphQL
API.
    The site must employ a file validation module.


Solution:

Install the latest version:

    If you use the GraphQL module 8.x-4.x for Drupal 8.x or 9.x, upgrade
to GraphQL 8.x-4.2
    If you use the GraphQL module 8.x-3.x for Drupal 8.x no action is
needed as a result of this advisory as the 8.x-3.x branch is not
affected by this issue.


Reported By:

    Klaus Purer


Fixed By:

    Klaus Purer
    Jess of the Drupal Security Team
    pmelab
    Drew Webber of the Drupal Security Team
    Lee Rowlands of the Drupal Security Team
    Alex Pott of the Drupal Security Team
    Samuel Mortenson
    Kim Pepper


Coordinated By:

    xjm of the Drupal Security Team
    Drew Webber of the Drupal Security Team




=========================================================
+ CERT-RENATER       |    tel : 01-53-94-20-44          +
+ 23/25 Rue Daviel   |    fax : 01-53-94-20-41          +
+ 75013 Paris        |    email:cert@support.renater.fr +
=========================================================