Search

Find a vulnerability

Search criteria

    4 vulnerabilities found for graphql-engine by hasura

    CVE-2026-54698 (GCVE-0-2026-54698)

    Vulnerability from nvd – Published: 2026-07-07 21:29 – Updated: 2026-07-08 13:02
    VLAI
    Title
    Hasura: Row-level authorization bypass on table computed fields
    Summary
    Hasura is an open-source product that provides users GraphQL or REST APIs. Prior to 2.49.2 and 2.45.5, a user can use a where clause on a table computed field (returning SETOF some_table) to infer row values that ought to be filtered for their role based on some_table's row-level permissions. While such rows cannot be returned directly, like predicates on strings for instance allow values to be brute forced efficiently with the where clause as an oracle. This issue is fixed in versions 2.49.2 and 2.45.5.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-863 - Incorrect Authorization
    Assigner
    References
    Impacted products
    Vendor Product Version
    hasura graphql-engine Affected: >= 2.46.0, < 2.49.2
    Affected: >= 2.45.0, < 2.45.5
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-54698",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-08T13:01:48.684963Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-08T13:02:17.049Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "graphql-engine",
              "vendor": "hasura",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 2.46.0, \u003c 2.49.2"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.45.0, \u003c 2.45.5"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Hasura is an open-source product that provides users GraphQL or REST APIs. Prior to 2.49.2 and 2.45.5, a user can use a where clause on a table computed field (returning SETOF some_table) to infer row values that ought to be filtered for their role based on some_table\u0027s row-level permissions. While such rows cannot be returned directly, like predicates on strings for instance allow values to be brute forced efficiently with the where clause as an oracle. This issue is fixed in versions 2.49.2 and 2.45.5."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "HIGH",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 6,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "LOW",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-863",
                  "description": "CWE-863: Incorrect Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-07T21:29:23.595Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/hasura/graphql-engine/security/advisories/GHSA-r27x-gc74-qmxh",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/hasura/graphql-engine/security/advisories/GHSA-r27x-gc74-qmxh"
            }
          ],
          "source": {
            "advisory": "GHSA-r27x-gc74-qmxh",
            "discovery": "UNKNOWN"
          },
          "title": "Hasura: Row-level authorization bypass on table computed fields"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-54698",
        "datePublished": "2026-07-07T21:29:23.595Z",
        "dateReserved": "2026-06-15T22:58:06.562Z",
        "dateUpdated": "2026-07-08T13:02:17.049Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2023-27588 (GCVE-0-2023-27588)

    Vulnerability from nvd – Published: 2023-03-14 17:23 – Updated: 2025-02-25 14:57
    VLAI
    Title
    Unauthenticated path traversal vulnerability in Hasura GraphQL Engine
    Summary
    Hasura is an open-source product that provides users GraphQL or REST APIs. A path traversal vulnerability has been discovered within Hasura GraphQL Engine prior to versions 1.3.4, 2.55.1, 2.20.1, and 2.21.0-beta1. Projects running on Hasura Cloud were not vulnerable. Self-hosted Hasura Projects with deployments that are publicly exposed and not protected by a WAF or other HTTP protection layer should be upgraded to version 1.3.4, 2.55.1, 2.20.1, or 2.21.0-beta1 to receive a patch.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-27 - Path Traversal: 'dir/../../filename'
    • CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
    Assigner
    Impacted products
    Vendor Product Version
    hasura graphql-engine Affected: < 1.3.4
    Affected: >= 2.0.0, < 2.11.5
    Affected: >= 2.2.0, < 2.20.1
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T12:16:35.882Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "https://github.com/hasura/graphql-engine/security/advisories/GHSA-c9rw-rw2f-mj4x",
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/hasura/graphql-engine/security/advisories/GHSA-c9rw-rw2f-mj4x"
              },
              {
                "name": "https://github.com/hasura/graphql-engine/commit/dda54543ee1ecf647ca5d0971b140c3a7b9f4158",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/hasura/graphql-engine/commit/dda54543ee1ecf647ca5d0971b140c3a7b9f4158"
              },
              {
                "name": "https://github.com/hasura/graphql-engine/releases/tag/v1.3.4",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/hasura/graphql-engine/releases/tag/v1.3.4"
              },
              {
                "name": "https://github.com/hasura/graphql-engine/releases/tag/v2.11.5",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/hasura/graphql-engine/releases/tag/v2.11.5"
              },
              {
                "name": "https://github.com/hasura/graphql-engine/releases/tag/v2.20.1",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/hasura/graphql-engine/releases/tag/v2.20.1"
              },
              {
                "name": "https://github.com/hasura/graphql-engine/releases/tag/v2.21.0-beta.1",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/hasura/graphql-engine/releases/tag/v2.21.0-beta.1"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-27588",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-02-25T14:31:06.675110Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-02-25T14:57:42.725Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "graphql-engine",
              "vendor": "hasura",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.3.4"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.0.0, \u003c 2.11.5"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.2.0, \u003c 2.20.1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Hasura is an open-source product that provides users GraphQL or REST APIs. A path traversal vulnerability has been discovered within Hasura GraphQL Engine prior to versions 1.3.4, 2.55.1, 2.20.1, and 2.21.0-beta1. Projects running on Hasura Cloud were not vulnerable. Self-hosted Hasura Projects with deployments that are publicly exposed and not protected by a WAF or other HTTP protection layer should be upgraded to version 1.3.4, 2.55.1, 2.20.1, or 2.21.0-beta1 to receive a patch."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-27",
                  "description": "CWE-27: Path Traversal: \u0027dir/../../filename\u0027",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-22",
                  "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-03-14T17:23:10.499Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/hasura/graphql-engine/security/advisories/GHSA-c9rw-rw2f-mj4x",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/hasura/graphql-engine/security/advisories/GHSA-c9rw-rw2f-mj4x"
            },
            {
              "name": "https://github.com/hasura/graphql-engine/commit/dda54543ee1ecf647ca5d0971b140c3a7b9f4158",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/hasura/graphql-engine/commit/dda54543ee1ecf647ca5d0971b140c3a7b9f4158"
            },
            {
              "name": "https://github.com/hasura/graphql-engine/releases/tag/v1.3.4",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/hasura/graphql-engine/releases/tag/v1.3.4"
            },
            {
              "name": "https://github.com/hasura/graphql-engine/releases/tag/v2.11.5",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/hasura/graphql-engine/releases/tag/v2.11.5"
            },
            {
              "name": "https://github.com/hasura/graphql-engine/releases/tag/v2.20.1",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/hasura/graphql-engine/releases/tag/v2.20.1"
            },
            {
              "name": "https://github.com/hasura/graphql-engine/releases/tag/v2.21.0-beta.1",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/hasura/graphql-engine/releases/tag/v2.21.0-beta.1"
            }
          ],
          "source": {
            "advisory": "GHSA-c9rw-rw2f-mj4x",
            "discovery": "UNKNOWN"
          },
          "title": "Unauthenticated path traversal vulnerability in Hasura GraphQL Engine"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2023-27588",
        "datePublished": "2023-03-14T17:23:10.499Z",
        "dateReserved": "2023-03-04T01:03:53.635Z",
        "dateUpdated": "2025-02-25T14:57:42.725Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2026-54698 (GCVE-0-2026-54698)

    Vulnerability from cvelistv5 – Published: 2026-07-07 21:29 – Updated: 2026-07-08 13:02
    VLAI
    Title
    Hasura: Row-level authorization bypass on table computed fields
    Summary
    Hasura is an open-source product that provides users GraphQL or REST APIs. Prior to 2.49.2 and 2.45.5, a user can use a where clause on a table computed field (returning SETOF some_table) to infer row values that ought to be filtered for their role based on some_table's row-level permissions. While such rows cannot be returned directly, like predicates on strings for instance allow values to be brute forced efficiently with the where clause as an oracle. This issue is fixed in versions 2.49.2 and 2.45.5.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-863 - Incorrect Authorization
    Assigner
    References
    Impacted products
    Vendor Product Version
    hasura graphql-engine Affected: >= 2.46.0, < 2.49.2
    Affected: >= 2.45.0, < 2.45.5
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-54698",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-08T13:01:48.684963Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-08T13:02:17.049Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "graphql-engine",
              "vendor": "hasura",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 2.46.0, \u003c 2.49.2"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.45.0, \u003c 2.45.5"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Hasura is an open-source product that provides users GraphQL or REST APIs. Prior to 2.49.2 and 2.45.5, a user can use a where clause on a table computed field (returning SETOF some_table) to infer row values that ought to be filtered for their role based on some_table\u0027s row-level permissions. While such rows cannot be returned directly, like predicates on strings for instance allow values to be brute forced efficiently with the where clause as an oracle. This issue is fixed in versions 2.49.2 and 2.45.5."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "HIGH",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 6,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "LOW",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-863",
                  "description": "CWE-863: Incorrect Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-07T21:29:23.595Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/hasura/graphql-engine/security/advisories/GHSA-r27x-gc74-qmxh",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/hasura/graphql-engine/security/advisories/GHSA-r27x-gc74-qmxh"
            }
          ],
          "source": {
            "advisory": "GHSA-r27x-gc74-qmxh",
            "discovery": "UNKNOWN"
          },
          "title": "Hasura: Row-level authorization bypass on table computed fields"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-54698",
        "datePublished": "2026-07-07T21:29:23.595Z",
        "dateReserved": "2026-06-15T22:58:06.562Z",
        "dateUpdated": "2026-07-08T13:02:17.049Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2023-27588 (GCVE-0-2023-27588)

    Vulnerability from cvelistv5 – Published: 2023-03-14 17:23 – Updated: 2025-02-25 14:57
    VLAI
    Title
    Unauthenticated path traversal vulnerability in Hasura GraphQL Engine
    Summary
    Hasura is an open-source product that provides users GraphQL or REST APIs. A path traversal vulnerability has been discovered within Hasura GraphQL Engine prior to versions 1.3.4, 2.55.1, 2.20.1, and 2.21.0-beta1. Projects running on Hasura Cloud were not vulnerable. Self-hosted Hasura Projects with deployments that are publicly exposed and not protected by a WAF or other HTTP protection layer should be upgraded to version 1.3.4, 2.55.1, 2.20.1, or 2.21.0-beta1 to receive a patch.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-27 - Path Traversal: 'dir/../../filename'
    • CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
    Assigner
    Impacted products
    Vendor Product Version
    hasura graphql-engine Affected: < 1.3.4
    Affected: >= 2.0.0, < 2.11.5
    Affected: >= 2.2.0, < 2.20.1
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T12:16:35.882Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "https://github.com/hasura/graphql-engine/security/advisories/GHSA-c9rw-rw2f-mj4x",
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/hasura/graphql-engine/security/advisories/GHSA-c9rw-rw2f-mj4x"
              },
              {
                "name": "https://github.com/hasura/graphql-engine/commit/dda54543ee1ecf647ca5d0971b140c3a7b9f4158",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/hasura/graphql-engine/commit/dda54543ee1ecf647ca5d0971b140c3a7b9f4158"
              },
              {
                "name": "https://github.com/hasura/graphql-engine/releases/tag/v1.3.4",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/hasura/graphql-engine/releases/tag/v1.3.4"
              },
              {
                "name": "https://github.com/hasura/graphql-engine/releases/tag/v2.11.5",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/hasura/graphql-engine/releases/tag/v2.11.5"
              },
              {
                "name": "https://github.com/hasura/graphql-engine/releases/tag/v2.20.1",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/hasura/graphql-engine/releases/tag/v2.20.1"
              },
              {
                "name": "https://github.com/hasura/graphql-engine/releases/tag/v2.21.0-beta.1",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/hasura/graphql-engine/releases/tag/v2.21.0-beta.1"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-27588",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-02-25T14:31:06.675110Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-02-25T14:57:42.725Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "graphql-engine",
              "vendor": "hasura",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.3.4"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.0.0, \u003c 2.11.5"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 2.2.0, \u003c 2.20.1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Hasura is an open-source product that provides users GraphQL or REST APIs. A path traversal vulnerability has been discovered within Hasura GraphQL Engine prior to versions 1.3.4, 2.55.1, 2.20.1, and 2.21.0-beta1. Projects running on Hasura Cloud were not vulnerable. Self-hosted Hasura Projects with deployments that are publicly exposed and not protected by a WAF or other HTTP protection layer should be upgraded to version 1.3.4, 2.55.1, 2.20.1, or 2.21.0-beta1 to receive a patch."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-27",
                  "description": "CWE-27: Path Traversal: \u0027dir/../../filename\u0027",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-22",
                  "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-03-14T17:23:10.499Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/hasura/graphql-engine/security/advisories/GHSA-c9rw-rw2f-mj4x",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/hasura/graphql-engine/security/advisories/GHSA-c9rw-rw2f-mj4x"
            },
            {
              "name": "https://github.com/hasura/graphql-engine/commit/dda54543ee1ecf647ca5d0971b140c3a7b9f4158",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/hasura/graphql-engine/commit/dda54543ee1ecf647ca5d0971b140c3a7b9f4158"
            },
            {
              "name": "https://github.com/hasura/graphql-engine/releases/tag/v1.3.4",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/hasura/graphql-engine/releases/tag/v1.3.4"
            },
            {
              "name": "https://github.com/hasura/graphql-engine/releases/tag/v2.11.5",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/hasura/graphql-engine/releases/tag/v2.11.5"
            },
            {
              "name": "https://github.com/hasura/graphql-engine/releases/tag/v2.20.1",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/hasura/graphql-engine/releases/tag/v2.20.1"
            },
            {
              "name": "https://github.com/hasura/graphql-engine/releases/tag/v2.21.0-beta.1",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/hasura/graphql-engine/releases/tag/v2.21.0-beta.1"
            }
          ],
          "source": {
            "advisory": "GHSA-c9rw-rw2f-mj4x",
            "discovery": "UNKNOWN"
          },
          "title": "Unauthenticated path traversal vulnerability in Hasura GraphQL Engine"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2023-27588",
        "datePublished": "2023-03-14T17:23:10.499Z",
        "dateReserved": "2023-03-04T01:03:53.635Z",
        "dateUpdated": "2025-02-25T14:57:42.725Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }