GHSA-hx78-272p-mqqh – graphql-shield

Package

Manager: npm
Name: graphql-shield
Vulnerable Version: >=0 <6.0.6

Severity

Level: Low

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

Authorization Bypass in graphql-shield Versions of `graphql-shield` prior to 6.0.6 are vulnerable to an Authorization Bypass. The rule caching option `no_cache` relies on keys generated by cryptographically insecure functions, which may cause rules to be incorrectly cached. This allows attackers to access information they should not have access to in case of a key collision. ## Recommendation Upgrade to version 6.0.6 or later.

Metadata

Created: 2020-09-03T19:21:11Z
Modified: 2020-08-31T18:47:59Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/09/GHSA-hx78-272p-mqqh/GHSA-hx78-272p-mqqh.json
CWE IDs: ["CWE-285"]
Alternative ID: N/A
Finding: F039
Auto approve: 1