238 – Technical information leak - API

Description

An attacker is able to gather the entire GraphQL API Schema Structure (both queries and mutations).

Impact

Get the knowledge of the Schema Structure to open a door for more dangerous attacks.

Recommendation

Disable introspection queries.

Threat

An anonymous attacker from the Internet network crafts an introspection query.

Expected Remediation Time

30 minutes.

Score 4.0

Default score using CVSS 4.0. It may change depending on the context of the src.

Base 4.0

• Attack vector: N
• Attack complexity: L
• Attack Requirements: N
• Privileges required: N
• User interaction: N
• Confidentiality (VC): L
• Integrity (VI): N
• Availability (VA): N
• Confidentiality (SC): N
• Integrity (SI): N
• Availability (SA): N

Threat 4.0

• Exploit maturity: X

Requirements

• 077 - Avoid disclosing technical information
• 176 - Restrict system objects

Fixes

• Csharp
• Elixir
• Go
• Java
• Ruby
• Scala
• Typescript

Last updated

2024/02/16