GHSA-79GP-Q4WV-33FR

Vulnerability from github – Published: 2024-09-25 18:21 – Updated: 2025-01-21 18:27
VLAI?
Summary
Cross-Site Request Forgery (CSRF) in strawberry-graphql
Details

Impact

Multipart file upload support as defined in the GraphQL multipart request specification was enabled by default in all Strawberry HTTP view integrations. This made all Strawberry HTTP view integrations vulnerable to CSRF attacks if users did not explicitly enable CSRF preventing security mechanism for their servers. Additionally, the Django HTTP view integration, in particular, had an exemption for Django's built-in CSRF protection (i.e., the CsrfViewMiddleware middleware) by default.

In affect, all Strawberry integrations were vulnerable to CSRF attacks by default.

Patches

Version v0.243.0 is the first strawberry-graphql including a patch. Check out our documentation for additional details and upgrade instructions.

References

Credits

Severity ?
4.6 (Medium)
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L
4.8 (Medium)
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "strawberry-graphql"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.243.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-47082"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-352"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-09-25T18:21:19Z",
    "nvd_published_at": "2024-09-25T18:15:05Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nMultipart file upload support as defined in the [GraphQL multipart request specification](https://github.com/jaydenseric/graphql-multipart-request-spec) was enabled by default in all Strawberry HTTP view integrations. This made all Strawberry HTTP view integrations vulnerable to CSRF attacks if users did not explicitly enable CSRF preventing security mechanism for their servers.\nAdditionally, the Django HTTP view integration, in particular, had an exemption for Django\u0027s built-in CSRF protection (i.e., the `CsrfViewMiddleware` middleware) by default.\n\nIn affect, all Strawberry integrations were vulnerable to CSRF attacks by default.\n\n### Patches\n\nVersion `v0.243.0` is the first `strawberry-graphql` including a patch. Check out our [documentation](https://strawberry.rocks/docs/breaking-changes/0.243.0) for additional details and upgrade instructions.\n\n### References\n\n- [Strawberry upgrade guide](https://strawberry.rocks/docs/breaking-changes/0.243.0)\n- [Multipart Upload Security Implications](https://github.com/jaydenseric/graphql-multipart-request-spec/blob/master/readme.md#security)\n\n### Credits\n\n- [Thomas Grainger](https://github.com/graingert)\n- [Arthur Bayr](https://github.com/speedy1991)\n- [Jonathan Ehwald](https://github.com/DoctorJohn)",
  "id": "GHSA-79gp-q4wv-33fr",
  "modified": "2025-01-21T18:27:00Z",
  "published": "2024-09-25T18:21:19Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/strawberry-graphql/strawberry/security/advisories/GHSA-79gp-q4wv-33fr"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47082"
    },
    {
      "type": "WEB",
      "url": "https://github.com/strawberry-graphql/strawberry/commit/37265b230e511480a9ceace492f9f6a484be1387"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/strawberry-graphql/PYSEC-2024-171.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/strawberry-graphql/strawberry"
    },
    {
      "type": "WEB",
      "url": "https://strawberry.rocks/docs/breaking-changes/0.243.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Cross-Site Request Forgery (CSRF) in strawberry-graphql"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.