Search
Find a vulnerability
Search criteria
4 vulnerabilities found for graphql-engine by hasura
CVE-2026-54698 (GCVE-0-2026-54698)
Vulnerability from nvd – Published: 2026-07-07 21:29 – Updated: 2026-07-08 13:02
VLAI
EPSS
VEX
Title
Hasura: Row-level authorization bypass on table computed fields
Summary
Hasura is an open-source product that provides users GraphQL or REST APIs. Prior to 2.49.2 and 2.45.5, a user can use a where clause on a table computed field (returning SETOF some_table) to infer row values that ought to be filtered for their role based on some_table's row-level permissions. While such rows cannot be returned directly, like predicates on strings for instance allow values to be brute forced efficiently with the where clause as an oracle. This issue is fixed in versions 2.49.2 and 2.45.5.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/hasura/graphql-engine/security… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| hasura | graphql-engine |
Affected:
>= 2.46.0, < 2.49.2
Affected: >= 2.45.0, < 2.45.5 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-54698",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-08T13:01:48.684963Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-08T13:02:17.049Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "graphql-engine",
"vendor": "hasura",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.46.0, \u003c 2.49.2"
},
{
"status": "affected",
"version": "\u003e= 2.45.0, \u003c 2.45.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Hasura is an open-source product that provides users GraphQL or REST APIs. Prior to 2.49.2 and 2.45.5, a user can use a where clause on a table computed field (returning SETOF some_table) to infer row values that ought to be filtered for their role based on some_table\u0027s row-level permissions. While such rows cannot be returned directly, like predicates on strings for instance allow values to be brute forced efficiently with the where clause as an oracle. This issue is fixed in versions 2.49.2 and 2.45.5."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "HIGH",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-07T21:29:23.595Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/hasura/graphql-engine/security/advisories/GHSA-r27x-gc74-qmxh",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/hasura/graphql-engine/security/advisories/GHSA-r27x-gc74-qmxh"
}
],
"source": {
"advisory": "GHSA-r27x-gc74-qmxh",
"discovery": "UNKNOWN"
},
"title": "Hasura: Row-level authorization bypass on table computed fields"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-54698",
"datePublished": "2026-07-07T21:29:23.595Z",
"dateReserved": "2026-06-15T22:58:06.562Z",
"dateUpdated": "2026-07-08T13:02:17.049Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-27588 (GCVE-0-2023-27588)
Vulnerability from nvd – Published: 2023-03-14 17:23 – Updated: 2025-02-25 14:57
VLAI
EPSS
VEX
Title
Unauthenticated path traversal vulnerability in Hasura GraphQL Engine
Summary
Hasura is an open-source product that provides users GraphQL or REST APIs. A path traversal vulnerability has been discovered within Hasura GraphQL Engine prior to versions 1.3.4, 2.55.1, 2.20.1, and 2.21.0-beta1. Projects running on Hasura Cloud were not vulnerable. Self-hosted Hasura Projects with deployments that are publicly exposed and not protected by a WAF or other HTTP protection layer should be upgraded to version 1.3.4, 2.55.1, 2.20.1, or 2.21.0-beta1 to receive a patch.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
6 references
| URL | Tags |
|---|---|
| https://github.com/hasura/graphql-engine/security… | x_refsource_CONFIRM |
| https://github.com/hasura/graphql-engine/commit/d… | x_refsource_MISC |
| https://github.com/hasura/graphql-engine/releases… | x_refsource_MISC |
| https://github.com/hasura/graphql-engine/releases… | x_refsource_MISC |
| https://github.com/hasura/graphql-engine/releases… | x_refsource_MISC |
| https://github.com/hasura/graphql-engine/releases… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| hasura | graphql-engine |
Affected:
< 1.3.4
Affected: >= 2.0.0, < 2.11.5 Affected: >= 2.2.0, < 2.20.1 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T12:16:35.882Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/hasura/graphql-engine/security/advisories/GHSA-c9rw-rw2f-mj4x",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/hasura/graphql-engine/security/advisories/GHSA-c9rw-rw2f-mj4x"
},
{
"name": "https://github.com/hasura/graphql-engine/commit/dda54543ee1ecf647ca5d0971b140c3a7b9f4158",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/hasura/graphql-engine/commit/dda54543ee1ecf647ca5d0971b140c3a7b9f4158"
},
{
"name": "https://github.com/hasura/graphql-engine/releases/tag/v1.3.4",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/hasura/graphql-engine/releases/tag/v1.3.4"
},
{
"name": "https://github.com/hasura/graphql-engine/releases/tag/v2.11.5",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/hasura/graphql-engine/releases/tag/v2.11.5"
},
{
"name": "https://github.com/hasura/graphql-engine/releases/tag/v2.20.1",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/hasura/graphql-engine/releases/tag/v2.20.1"
},
{
"name": "https://github.com/hasura/graphql-engine/releases/tag/v2.21.0-beta.1",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/hasura/graphql-engine/releases/tag/v2.21.0-beta.1"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-27588",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-25T14:31:06.675110Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-25T14:57:42.725Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "graphql-engine",
"vendor": "hasura",
"versions": [
{
"status": "affected",
"version": "\u003c 1.3.4"
},
{
"status": "affected",
"version": "\u003e= 2.0.0, \u003c 2.11.5"
},
{
"status": "affected",
"version": "\u003e= 2.2.0, \u003c 2.20.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Hasura is an open-source product that provides users GraphQL or REST APIs. A path traversal vulnerability has been discovered within Hasura GraphQL Engine prior to versions 1.3.4, 2.55.1, 2.20.1, and 2.21.0-beta1. Projects running on Hasura Cloud were not vulnerable. Self-hosted Hasura Projects with deployments that are publicly exposed and not protected by a WAF or other HTTP protection layer should be upgraded to version 1.3.4, 2.55.1, 2.20.1, or 2.21.0-beta1 to receive a patch."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-27",
"description": "CWE-27: Path Traversal: \u0027dir/../../filename\u0027",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-03-14T17:23:10.499Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/hasura/graphql-engine/security/advisories/GHSA-c9rw-rw2f-mj4x",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/hasura/graphql-engine/security/advisories/GHSA-c9rw-rw2f-mj4x"
},
{
"name": "https://github.com/hasura/graphql-engine/commit/dda54543ee1ecf647ca5d0971b140c3a7b9f4158",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/hasura/graphql-engine/commit/dda54543ee1ecf647ca5d0971b140c3a7b9f4158"
},
{
"name": "https://github.com/hasura/graphql-engine/releases/tag/v1.3.4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/hasura/graphql-engine/releases/tag/v1.3.4"
},
{
"name": "https://github.com/hasura/graphql-engine/releases/tag/v2.11.5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/hasura/graphql-engine/releases/tag/v2.11.5"
},
{
"name": "https://github.com/hasura/graphql-engine/releases/tag/v2.20.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/hasura/graphql-engine/releases/tag/v2.20.1"
},
{
"name": "https://github.com/hasura/graphql-engine/releases/tag/v2.21.0-beta.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/hasura/graphql-engine/releases/tag/v2.21.0-beta.1"
}
],
"source": {
"advisory": "GHSA-c9rw-rw2f-mj4x",
"discovery": "UNKNOWN"
},
"title": "Unauthenticated path traversal vulnerability in Hasura GraphQL Engine"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-27588",
"datePublished": "2023-03-14T17:23:10.499Z",
"dateReserved": "2023-03-04T01:03:53.635Z",
"dateUpdated": "2025-02-25T14:57:42.725Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2026-54698 (GCVE-0-2026-54698)
Vulnerability from cvelistv5 – Published: 2026-07-07 21:29 – Updated: 2026-07-08 13:02
VLAI
EPSS
VEX
Title
Hasura: Row-level authorization bypass on table computed fields
Summary
Hasura is an open-source product that provides users GraphQL or REST APIs. Prior to 2.49.2 and 2.45.5, a user can use a where clause on a table computed field (returning SETOF some_table) to infer row values that ought to be filtered for their role based on some_table's row-level permissions. While such rows cannot be returned directly, like predicates on strings for instance allow values to be brute forced efficiently with the where clause as an oracle. This issue is fixed in versions 2.49.2 and 2.45.5.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/hasura/graphql-engine/security… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| hasura | graphql-engine |
Affected:
>= 2.46.0, < 2.49.2
Affected: >= 2.45.0, < 2.45.5 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-54698",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-08T13:01:48.684963Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-08T13:02:17.049Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "graphql-engine",
"vendor": "hasura",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.46.0, \u003c 2.49.2"
},
{
"status": "affected",
"version": "\u003e= 2.45.0, \u003c 2.45.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Hasura is an open-source product that provides users GraphQL or REST APIs. Prior to 2.49.2 and 2.45.5, a user can use a where clause on a table computed field (returning SETOF some_table) to infer row values that ought to be filtered for their role based on some_table\u0027s row-level permissions. While such rows cannot be returned directly, like predicates on strings for instance allow values to be brute forced efficiently with the where clause as an oracle. This issue is fixed in versions 2.49.2 and 2.45.5."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "HIGH",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-07T21:29:23.595Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/hasura/graphql-engine/security/advisories/GHSA-r27x-gc74-qmxh",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/hasura/graphql-engine/security/advisories/GHSA-r27x-gc74-qmxh"
}
],
"source": {
"advisory": "GHSA-r27x-gc74-qmxh",
"discovery": "UNKNOWN"
},
"title": "Hasura: Row-level authorization bypass on table computed fields"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-54698",
"datePublished": "2026-07-07T21:29:23.595Z",
"dateReserved": "2026-06-15T22:58:06.562Z",
"dateUpdated": "2026-07-08T13:02:17.049Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-27588 (GCVE-0-2023-27588)
Vulnerability from cvelistv5 – Published: 2023-03-14 17:23 – Updated: 2025-02-25 14:57
VLAI
EPSS
VEX
Title
Unauthenticated path traversal vulnerability in Hasura GraphQL Engine
Summary
Hasura is an open-source product that provides users GraphQL or REST APIs. A path traversal vulnerability has been discovered within Hasura GraphQL Engine prior to versions 1.3.4, 2.55.1, 2.20.1, and 2.21.0-beta1. Projects running on Hasura Cloud were not vulnerable. Self-hosted Hasura Projects with deployments that are publicly exposed and not protected by a WAF or other HTTP protection layer should be upgraded to version 1.3.4, 2.55.1, 2.20.1, or 2.21.0-beta1 to receive a patch.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
6 references
| URL | Tags |
|---|---|
| https://github.com/hasura/graphql-engine/security… | x_refsource_CONFIRM |
| https://github.com/hasura/graphql-engine/commit/d… | x_refsource_MISC |
| https://github.com/hasura/graphql-engine/releases… | x_refsource_MISC |
| https://github.com/hasura/graphql-engine/releases… | x_refsource_MISC |
| https://github.com/hasura/graphql-engine/releases… | x_refsource_MISC |
| https://github.com/hasura/graphql-engine/releases… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| hasura | graphql-engine |
Affected:
< 1.3.4
Affected: >= 2.0.0, < 2.11.5 Affected: >= 2.2.0, < 2.20.1 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T12:16:35.882Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/hasura/graphql-engine/security/advisories/GHSA-c9rw-rw2f-mj4x",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/hasura/graphql-engine/security/advisories/GHSA-c9rw-rw2f-mj4x"
},
{
"name": "https://github.com/hasura/graphql-engine/commit/dda54543ee1ecf647ca5d0971b140c3a7b9f4158",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/hasura/graphql-engine/commit/dda54543ee1ecf647ca5d0971b140c3a7b9f4158"
},
{
"name": "https://github.com/hasura/graphql-engine/releases/tag/v1.3.4",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/hasura/graphql-engine/releases/tag/v1.3.4"
},
{
"name": "https://github.com/hasura/graphql-engine/releases/tag/v2.11.5",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/hasura/graphql-engine/releases/tag/v2.11.5"
},
{
"name": "https://github.com/hasura/graphql-engine/releases/tag/v2.20.1",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/hasura/graphql-engine/releases/tag/v2.20.1"
},
{
"name": "https://github.com/hasura/graphql-engine/releases/tag/v2.21.0-beta.1",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/hasura/graphql-engine/releases/tag/v2.21.0-beta.1"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-27588",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-25T14:31:06.675110Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-25T14:57:42.725Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "graphql-engine",
"vendor": "hasura",
"versions": [
{
"status": "affected",
"version": "\u003c 1.3.4"
},
{
"status": "affected",
"version": "\u003e= 2.0.0, \u003c 2.11.5"
},
{
"status": "affected",
"version": "\u003e= 2.2.0, \u003c 2.20.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Hasura is an open-source product that provides users GraphQL or REST APIs. A path traversal vulnerability has been discovered within Hasura GraphQL Engine prior to versions 1.3.4, 2.55.1, 2.20.1, and 2.21.0-beta1. Projects running on Hasura Cloud were not vulnerable. Self-hosted Hasura Projects with deployments that are publicly exposed and not protected by a WAF or other HTTP protection layer should be upgraded to version 1.3.4, 2.55.1, 2.20.1, or 2.21.0-beta1 to receive a patch."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-27",
"description": "CWE-27: Path Traversal: \u0027dir/../../filename\u0027",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-03-14T17:23:10.499Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/hasura/graphql-engine/security/advisories/GHSA-c9rw-rw2f-mj4x",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/hasura/graphql-engine/security/advisories/GHSA-c9rw-rw2f-mj4x"
},
{
"name": "https://github.com/hasura/graphql-engine/commit/dda54543ee1ecf647ca5d0971b140c3a7b9f4158",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/hasura/graphql-engine/commit/dda54543ee1ecf647ca5d0971b140c3a7b9f4158"
},
{
"name": "https://github.com/hasura/graphql-engine/releases/tag/v1.3.4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/hasura/graphql-engine/releases/tag/v1.3.4"
},
{
"name": "https://github.com/hasura/graphql-engine/releases/tag/v2.11.5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/hasura/graphql-engine/releases/tag/v2.11.5"
},
{
"name": "https://github.com/hasura/graphql-engine/releases/tag/v2.20.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/hasura/graphql-engine/releases/tag/v2.20.1"
},
{
"name": "https://github.com/hasura/graphql-engine/releases/tag/v2.21.0-beta.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/hasura/graphql-engine/releases/tag/v2.21.0-beta.1"
}
],
"source": {
"advisory": "GHSA-c9rw-rw2f-mj4x",
"discovery": "UNKNOWN"
},
"title": "Unauthenticated path traversal vulnerability in Hasura GraphQL Engine"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-27588",
"datePublished": "2023-03-14T17:23:10.499Z",
"dateReserved": "2023-03-04T01:03:53.635Z",
"dateUpdated": "2025-02-25T14:57:42.725Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}