Update Your Hasura GraphQL Engine Now to Patch Path Traversal Vulnerability

CVECVE-2023-27588
CVSScvssV3_1: 7.5
SourceCVE-2023-27588

Hasura GraphQL Engine, an open-source backend for building GraphQL APIs, had a path traversal vulnerability discovered in versions prior to 1.3.4, 2.55.1, 2.20.1, and 2.21.0-beta1.

Path traversal attacks allow attackers to access files and directories that are normally outside their reach by manipulating URL path parameters or certain input strings. For projects using Hasura that have their GraphQL APIs exposed publicly without protection from a web application firewall or other security measures, this vulnerability could allow unauthorized access to sensitive files on the server.

Attackers could craft requests that try to traverse up the file system on the server to read, write or delete files that the Hasura process has access to but are not intended to be publicly accessible. This poses a risk to confidentiality, integrity and availability.

If you have a Hasura GraphQL Engine project deployed that is exposed to the public internet, you should immediately upgrade to one of the patched versions mentioned to close this security hole. It’s also recommended to use a web application firewall or other protection when exposing APIs publicly to add an additional layer of security.

By keeping your Hasura GraphQL Engine updated with the latest versions, you can help protect your application and its users from exploits of known vulnerabilities. Regular patching of components is important for maintaining baseline security.

References