Sign In
Advisories

Hasura GraphQL 1.3.3 Local File Read via SQL Injection

Go Back
severity
medium
date
Affecting

  • Hasura GraphQL 1.3.3

CWE
  • CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVSS
6.9
CVSS V4 Vector
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Credit
Dolev Farhi
Description
Hasura GraphQL 1.3.3 contains a local file read vulnerability that allows attackers to access system files through SQL injection in the query endpoint. Attackers can exploit the pg_read_file() PostgreSQL function by crafting malicious SQL queries to read arbitrary files on the server.