===================================================================== CERT-Renater Note d'Information No. 2022/VULN451 _____________________________________________________________________ DATE : 08/12/2022 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Hasura GraphQL Engine versions prior to 2.10.2, 2.11.3, 2.12.1, 2.13.2, 2.14.1, 2.15.2. ===================================================================== https://github.com/hasura/graphql-engine/security/advisories/GHSA-g7mj-g7f4-hgrg _____________________________________________________________________ Critical vulnerability impacting Hasura GraphQL Engine v2.10.0 to v2.15.1 Critical timothy-hasura published GHSA-g7mj-g7f4-hgrg Package No package listed Affected versions 2.10.0, 2.10.1, 2.11.0, 2.11.1, 2.11.2, 2.12.0, 2.13.0, 2.13.1, 2.14.0, 2.15.0, 2.15.1 Patched versions 2.10.2, 2.11.3, 2.12.1, 2.13.2, 2.14.1, 2.15.2 Description Impact A critical vulnerability has been discovered on Hasura GraphQL Engine v2.10.0 and later. It impacts Community, Enterprise and Cloud Editions. Hasura Cloud has already been patched and is no longer vulnerable. We urge all users to upgrade to the following patched versions immediately. Patches Community Edition Affected versions Patched version v2.15.1, v2.15.0 v2.15.2 v2.14.0 v2.14.1 v2.13.1, v2.13.0 v2.13.2 v2.12.0 v2.12.1 v2.11.2, v2.11.1, v2.11.0 v2.11.3 v2.10.1, v2.10.0 v2.10.2 Enterprise Edition Affected versions Patched version v2.15.1, v2.15.0 v2.15.2 v2.14.0 v2.14.1 v2.13.1, v2.13.0 v2.13.2 v2.12.0 v2.12.1 v2.11.2-pro.1, v2.11.1-pro.1, v2.11.0-pro.1 v2.11.3-pro.1 v2.10.1-pro.1, v2.10.0-pro.1 v2.10.2-pro.1 *Note: Starting with v2.12.0, Community and Enterprise editions are on the same release. Hasura Cloud Hasura Cloud has already been patched. No action is required from customers. More details In the implementation of the new Update Many API for Postgres backends, there was a bug in the code which would enforce the row level authorization mechanisms. Since this was within the Update Many API, a user could perform an update on any column they had update permissions to on any row within the target table, and subsequently retrieve any columns they had select permissions on from any impacted rows. In order for this to be exploited, the Update Many API would need to be called against a Postgres datastore, the API would need to not have been disabled using the configuration added in 2.14.0, the caller of the API would need to have update permissions on the target table, and the API would need to not be restricted by Allow Lists. Identifying Impacts You can look into calls to the Update Many API within your services and review any tables which have been the target of these calls. If you have disabled API and telemetry logging or are not certain you keep all of these records long enough, then you should do a consistency check across all of your Postgres datastores behind the affected versions as listed above. Severity Critical CVE ID No known CVE Weaknesses No CWEs ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================