CVE-2023-27588: Unauthenticated path traversal vulnerability in Hasura GraphQL Engine
A new security vulnerability, identified as CVE-2023-27588, has been discovered in the Hasura GraphQL Engine, posing a significant risk to self-hosted projects.
Unpacking the CVE-2023-27588 Vulnerability
CVE-2023-27588, with a CVSS score of 7.5, is an unauthenticated path traversal vulnerability affecting the Hasura GraphQL Engine. This engine serves as a robust platform to connect databases, REST and GraphQL endpoints, and third-party APIs, allowing developers to create and deploy modern, performant applications and APIs at an accelerated pace.
However, this newly discovered vulnerability affects all versions of the Hasura GraphQL Engine, potentially leaving your project exposed to malicious actors who could exploit the flaw.
Patched Versions to Secure Your Projects
The Hasura team has swiftly responded to this vulnerability, releasing patched versions that address the issue. The following versions are considered secure:
- v2.11.5
- v2.20.1
- v2.21.0-beta.1
- v1.3.4
Actions You Need to Take
Depending on your Hasura deployment, different steps are required to mitigate this vulnerability.
- Hasura Cloud Projects: If your project is running on Hasura Cloud, there is no need for further action. Hasura Cloud projects were not vulnerable to this issue. However, if you also have self-hosted Hasura projects, please follow the guidelines below.
- Self-hosted Hasura Projects (Community Edition or Enterprise Edition): If your self-hosted Hasura deployment is publicly exposed and lacks protection from a Web Application Firewall (WAF) or other HTTP protection layer, it is crucial to update immediately to one of the fixed versions mentioned above.
Public Disclosure Update
The Hasura team recognizes the importance of transparency and is issuing a security advisory to inform the larger user community. A detailed public disclosure of the CVE-2023-27588 vulnerability is scheduled for March 27, 2023. This timeline allows users enough time to take the necessary steps to mitigate the issue and ensure the ongoing security of their Hasura projects. The CVE-2023-27588 vulnerability poses a real risk to self-hosted Hasura projects, so be sure to take the recommended steps to secure your deployment. By updating to the patched versions and implementing proper security measures, you can safeguard your projects and maintain confidence in the Hasura GraphQL Engine as a powerful tool for app and API development.
