Headline
CVE-2022-39275: Improper object type validation in mutations leading to unauthorized access
Saleor is a headless, GraphQL commerce platform. In affected versions some GraphQL mutations were not properly checking the ID type input which allowed to access database objects that the authenticated user may not be allowed to access. This vulnerability can be used to expose the following information: Estimating database row counts from tables with a sequential primary key or Exposing staff user and customer email addresses and full name through the assignNavigation() mutation. This issue has been patched in main and backported to multiple releases (3.7.17, 3.6.18, 3.5.23, 3.4.24, 3.3.26, 3.2.14, 3.1.24). Users are advised to upgrade. There are no known workarounds for this issue.
Affected versions
>= 2.0.0
Patched versions
3.7.17, 3.6.18, 3.5.23, 3.4.24, 3.3.26, 3.2.14, 3.1.24
Description
Impact
Some GraphQL mutations were not properly checking the ID type input which allowed to access database objects that the authenticated user may not be allowed to access.
Affects Saleor >= 2.0.0, breakdown:
- accountSetDefaultAddress >= 2.6.0 (2b63e12)
- accountAddressDelete >= 2.9.0 (ad1b899)
- addressDelete >= 2.6.0 (2b63e12)
- productVariantBulkCreate >= 2.9.0 (d5fae21)
- assignNavigation >= 2.0.0 (273867b)
This vulnerability can be used to expose the following information:
- Estimating database row counts from tables with a sequential primary key
- Exposing staff user and customer email addresses and full name through the assignNavigation() mutation
Mutation Name
Required Privileges
Effect
accountSetDefaultAddress
Authenticated User
Request is rejected with error message:
The address doesn’t belong to that user
accountAddressDelete
Authenticated User or MANAGE_USERS
- Crashes with error message for staff user with manage user permission:
‘User’ object has no attribute ‘user_addresses’ - Authenticated User: request is rejected with message:
You need one of the following permissions: MANAGE_USERS, OWNER
addressDelete
MANAGE_USERS
Crash with error message:
‘User’ object has no attribute ‘user_addresses’
productVariantBulkCreate
MANAGE_PRODUCTS
Crash with error message:
‘User’ object has no attribute ‘variants’
assignNavigation
MANAGE_MENUS or MANAGE_SETTINGS
Crash leaking object Python representation, address ID leak the user’s full name. Error message:
Cannot assign "<Address: John Doe>": “SiteSettings.top_menu” must be a “Menu” instance.
Patches
- main: 96e04c092ddcac17b14f2e31554aa02d9006d0ce
- 3.7.17: ed040d6a1feaae44b22316aa59d3b7d2edc1195b
- 3.6.18: 9fbb2fe92c45e4034b42a41af76a0ce86354b415
- 3.5.23: f8ee19d682661a1b9ca9637df346a1c4ff35ef05
- 3.4.24: 34dccfd70499d8d33d7ca31140d703c6ed4ef641
- 3.3.26: 4c12b2f4cdbe2680995db1ab15be358fbd079c2e
- 3.2.14: 52b2eabeb8ffb6819288aa939917e347f03b0c31
- 3.1.24: 45d9aafe7089a1fa39f284db88d46ef6d5800f6f
Workarounds
None
References
None
For more information
If you have any questions or comments about this advisory:
- Open a discussion at https://github.com/saleor/saleor/discussions
- Email us at [email protected]