GraphQL - Moderately critical - Access bypass - SA-CONTRIB-2023-050 - Security-news

8 Nov 2023


      View online: https://www.drupal.org/sa-contrib-2023-050
Project: GraphQL [1]
Date: 2023-November-08
Security risk: *Moderately critical* 11∕25
AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:Uncommon [2]
Vulnerability: Access bypass
Affected versions: <3.4.0 || >=4.0.0 <4.6.0
Description: 
This module lets you craft and expose a GraphQL schema for Drupal 9 and 10.
The module currently does not adequately verify whether a given user has the
necessary permissions to access an entity's label creating an access bypass
vulnerability.
This vulnerability is mitigated by the fact that entity view and entity label
access are usually handled by the same access check; developers have to
opt-in for supporting different logic on entity types. Additionally your
schema must make use of the EntityLabel DataProducer to be affected.
Solution: 
Install the latest version:
* If you use the GraphQL module v4 upgrade to GraphQL 8.x-4.6 [3]
   * If you use the GraphQL module v3 upgrade to GraphQL 8.x-3.4 [4]
Reported By: 
   * Dezső Biczó [5]
Fixed By: 
   * Dezső Biczó [6]
   * Klaus Purer [7]
   * Alexander Varwijk [8]
   * Luis  [9]
Coordinated By: 
   * Greg Knaddison [10] of the Drupal Security Team
[1] https://www.drupal.org/project/graphql
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/graphql/releases/8.x-4.6
[4] https://www.drupal.org/project/graphql/releases/8.x-3.4
[5] https://www.drupal.org/user/315522
[6] https://www.drupal.org/user/315522
[7] https://www.drupal.org/user/262198
[8] https://www.drupal.org/user/1868952
[9] https://www.drupal.org/user/1022312
[10] https://www.drupal.org/user/36762