Critical Vulnerability in Hasura GraphQL Engine v2.10.0-v2.15
What's this blog post about?
On November 21st, Hasura discovered a critical security vulnerability in its GraphQL Engine "Update Many" API, affecting versions 2.10.0 to 2.15. The issue was identified by Morten Hillbom and Issaaf Kattan from Nhost's customer company Celsia.io. A Missing Authorization vulnerability allowed users to expand update capabilities on row level authorization for Postgres datastores. Hasura has released patches for all impacted versions, removed vulnerable versions from docker hub, and is taking steps to improve its security processes and communication channels.
Company
Hasura
Date published
Dec. 7, 2022
Author(s)
Timothy Cline
Word count
836
Hacker News points
None found.
Language
English