Vulnerability Details CVE-2022-46792
Hasura GraphQL Engine before 2.15.2 mishandles row-level authorization in the Update Many API for Postgres backends. The fixed versions are 2.10.2, 2.11.3, 2.12.1, 2.13.2, 2.14.1, and 2.15.2. (Versions before 2.10.0 are unaffected.)
Exploit prediction scoring system (EPSS) score
EPSS Score 0.002
EPSS Ranking 40.7%
CVSS Severity
CVSS v3 Score 8.8
References
- https://github.com/hasura/graphql-engine/security/advisories/GHSA-g7mj-g7f4-hgrg
- https://groups.google.com/g/hasura-security-announce/c/kzK-uPAKGUU
- https://hasura.io/blog/critical-vulnerability-in-hasuras-graphql-engine-v2-10-0/
- https://github.com/hasura/graphql-engine/security/advisories/GHSA-g7mj-g7f4-hgrg
- https://groups.google.com/g/hasura-security-announce/c/kzK-uPAKGUU
- https://hasura.io/blog/critical-vulnerability-in-hasuras-graphql-engine-v2-10-0/
Products affected by CVE-2022-46792
-
cpe:2.3:a:hasura:graphql_engine:2.10.0
-
cpe:2.3:a:hasura:graphql_engine:2.10.1
-
cpe:2.3:a:hasura:graphql_engine:2.11.0
-
cpe:2.3:a:hasura:graphql_engine:2.11.1
-
cpe:2.3:a:hasura:graphql_engine:2.11.2
-
cpe:2.3:a:hasura:graphql_engine:2.12.0
-
cpe:2.3:a:hasura:graphql_engine:2.13.0
-
cpe:2.3:a:hasura:graphql_engine:2.13.1
-
cpe:2.3:a:hasura:graphql_engine:2.14.0
-
cpe:2.3:a:hasura:graphql_engine:2.15.0
-
cpe:2.3:a:hasura:graphql_engine:2.15.1