GHSA-CFH4-7WQ9-6PGG

Vulnerability from github – Published: 2023-06-30 20:35 – Updated: 2023-11-17 22:31
VLAI?
Summary
WPGraphQL Plugin vulnerable to Server Side Request Forgery (SSRF)
Details

Impact

Users with capabilities to upload media (editors and above) are succeptible to SSRF (Server-Side Request Forgery) when executing the createMediaItem Mutation.

Authenticated users making GraphQL requests that execute the createMediaItem could pass executable paths in the mutations filePath argument that could give them unwarranted access to the server.

It's recommended to update to WPGraphQL v1.14.6 or newer. If you're unable to do so, below is a snippet you can add to your functions.php (or similar) that filters the createMediaItem mutation's resolver.

Patches

  • v1.14.6
  • https://github.com/wp-graphql/wp-graphql/pull/2840

Workarounds

If you're unable to upgrade to v1.14.6 or higher, you should be able to use the following snippet in your functions.php to override the vulnerable resolver.

This snippet has been tested as far back as WPGraphQL v0.15

add_filter( 'graphql_pre_resolve_field', function( $nil, $source, $args, $context, \GraphQL\Type\Definition\ResolveInfo $info, $type_name, $field_key, $field, $field_resolver ) {

    if ( $info->fieldName !== 'createMediaItem' ) {
        return $nil;
    }

    $input = $args['input'] ?? null;

        if ( ! isset( $input['filePath'] ) ) {
        return $nil;
    }

    $uploaded_file_url   = $input['filePath'];

    // Check that the filetype is allowed
    $check_file = wp_check_filetype( $uploaded_file_url );

    // if the file doesn't pass the check, throw an error
    if ( ! $check_file['ext'] || ! $check_file['type'] || ! wp_http_validate_url( $uploaded_file_url ) ) {
        throw new \GraphQL\Error\UserError( sprintf( __( 'Invalid filePath "%s"', 'wp-graphql' ), $input['filePath'] ) );
    }

    $protocol = wp_parse_url( $input['filePath'], PHP_URL_SCHEME );

    // prevent the filePath from being submitted with a non-allowed protocols
    $allowed_protocols = [ 'https', 'http', 'file' ];

    if ( ! in_array( $protocol, $allowed_protocols, true ) ) {
        throw new \GraphQL\Error\UserError( sprintf( __( 'Invalid protocol. "%1$s". Only "%2$s" allowed.', 'wp-graphql' ), $protocol, implode( '", "', $allowed_protocols ) ) );
    }

    return $nil;

}, 10, 9 );

References

  • https://patchstack.com/database/vulnerability/wp-graphql/wordpress-wp-graphql-plugin-1-14-5-server-side-request-forgery-ssrf-vulnerability
Severity ?
6.5 (Medium)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.14.5"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "wp-graphql/wp-graphql"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.14.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-23684"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-06-30T20:35:37Z",
    "nvd_published_at": "2023-11-13T03:15:07Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\nUsers with capabilities to upload media (editors and above) are succeptible to SSRF (Server-Side Request Forgery) when executing the `createMediaItem` Mutation. \n\nAuthenticated users making GraphQL requests that execute the `createMediaItem` could pass executable paths in the mutations `filePath` argument that could give them unwarranted access to the server. \n\nIt\u0027s recommended to update to WPGraphQL v1.14.6 or newer. If you\u0027re unable to do so, below is a snippet you can add to your functions.php (or similar) that filters the `createMediaItem` mutation\u0027s resolver. \n\n### Patches\n\n- [v1.14.6](https://github.com/wp-graphql/wp-graphql/releases/tag/v1.14.6)\n- https://github.com/wp-graphql/wp-graphql/pull/2840\n\n### Workarounds\nIf you\u0027re unable to upgrade to v1.14.6 or higher, you should be able to use the following snippet in your functions.php to override the vulnerable resolver. \n\nThis snippet has been tested as far back as WPGraphQL v0.15\n\n```php\nadd_filter( \u0027graphql_pre_resolve_field\u0027, function( $nil, $source, $args, $context, \\GraphQL\\Type\\Definition\\ResolveInfo $info, $type_name, $field_key, $field, $field_resolver ) {\n\n\tif ( $info-\u003efieldName !== \u0027createMediaItem\u0027 ) {\n\t\treturn $nil;\n\t}\n\n\t$input = $args[\u0027input\u0027] ?? null;\n\n        if ( ! isset( $input[\u0027filePath\u0027] ) ) {\n\t\treturn $nil;\n\t}\n\n\t$uploaded_file_url   = $input[\u0027filePath\u0027];\n\n\t// Check that the filetype is allowed\n\t$check_file = wp_check_filetype( $uploaded_file_url );\n\n\t// if the file doesn\u0027t pass the check, throw an error\n\tif ( ! $check_file[\u0027ext\u0027] || ! $check_file[\u0027type\u0027] || ! wp_http_validate_url( $uploaded_file_url ) ) {\n\t\tthrow new \\GraphQL\\Error\\UserError( sprintf( __( \u0027Invalid filePath \"%s\"\u0027, \u0027wp-graphql\u0027 ), $input[\u0027filePath\u0027] ) );\n\t}\n\n\t$protocol = wp_parse_url( $input[\u0027filePath\u0027], PHP_URL_SCHEME );\n\n\t// prevent the filePath from being submitted with a non-allowed protocols\n\t$allowed_protocols = [ \u0027https\u0027, \u0027http\u0027, \u0027file\u0027 ];\n\n\tif ( ! in_array( $protocol, $allowed_protocols, true ) ) {\n\t\tthrow new \\GraphQL\\Error\\UserError( sprintf( __( \u0027Invalid protocol. \"%1$s\". Only \"%2$s\" allowed.\u0027, \u0027wp-graphql\u0027 ), $protocol, implode( \u0027\", \"\u0027, $allowed_protocols ) ) );\n\t}\n\n\treturn $nil;\n\n}, 10, 9 );\n```\n\n### References\n\n- https://patchstack.com/database/vulnerability/wp-graphql/wordpress-wp-graphql-plugin-1-14-5-server-side-request-forgery-ssrf-vulnerability\n",
  "id": "GHSA-cfh4-7wq9-6pgg",
  "modified": "2023-11-17T22:31:01Z",
  "published": "2023-06-30T20:35:37Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/wp-graphql/wp-graphql/security/advisories/GHSA-cfh4-7wq9-6pgg"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-23684"
    },
    {
      "type": "WEB",
      "url": "https://github.com/wp-graphql/wp-graphql/pull/2840"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/wp-graphql/wp-graphql"
    },
    {
      "type": "WEB",
      "url": "https://github.com/wp-graphql/wp-graphql/releases/tag/v1.14.6"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/vulnerability/wp-graphql/wordpress-wp-graphql-plugin-1-14-5-server-side-request-forgery-ssrf-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "WPGraphQL Plugin vulnerable to Server Side Request Forgery (SSRF)"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.