GSD-2023-23684
Vulnerability from gsd - Updated: 2023-12-13 01:20Details
Server-Side Request Forgery (SSRF) vulnerability in WPGraphQL.This issue affects WPGraphQL: from n/a through 1.14.5.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2023-23684",
"id": "GSD-2023-23684"
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2023-23684"
],
"details": "Server-Side Request Forgery (SSRF) vulnerability in WPGraphQL.This issue affects WPGraphQL: from n/a through 1.14.5.\n\n",
"id": "GSD-2023-23684",
"modified": "2023-12-13T01:20:50.073712Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "audit@patchstack.com",
"ID": "CVE-2023-23684",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "WPGraphQL",
"version": {
"version_data": [
{
"version_value": "not down converted",
"x_cve_json_5_version_data": {
"defaultStatus": "unaffected",
"versions": [
{
"changes": [
{
"at": "1.14.6",
"status": "unaffected"
}
],
"lessThanOrEqual": "1.14.5",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
}
]
}
}
]
},
"vendor_name": "WPGraphQL"
}
]
}
},
"credits": [
{
"lang": "en",
"value": "Ravi Dharmawan (Patchstack Alliance)"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Server-Side Request Forgery (SSRF) vulnerability in WPGraphQL.This issue affects WPGraphQL: from n/a through 1.14.5.\n\n"
}
]
},
"generator": {
"engine": "Vulnogram 0.1.0-dev"
},
"impact": {
"cvss": [
{
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"cweId": "CWE-918",
"lang": "eng",
"value": "CWE-918 Server-Side Request Forgery (SSRF)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://patchstack.com/database/vulnerability/wp-graphql/wordpress-wp-graphql-plugin-1-14-5-server-side-request-forgery-ssrf-vulnerability?_s_id=cve",
"refsource": "MISC",
"url": "https://patchstack.com/database/vulnerability/wp-graphql/wordpress-wp-graphql-plugin-1-14-5-server-side-request-forgery-ssrf-vulnerability?_s_id=cve"
}
]
},
"solution": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update to\u0026nbsp;1.14.6 or a higher version."
}
],
"value": "Update to\u00a01.14.6 or a higher version."
}
],
"source": {
"discovery": "EXTERNAL"
}
},
"gitlab.com": {
"advisories": [
{
"affected_range": "\u003c=1.14.5",
"affected_versions": "All versions up to 1.14.5",
"cwe_ids": [
"CWE-1035",
"CWE-937"
],
"date": "2023-06-30",
"description": "### Impact\nUsers with capabilities to upload media (editors and above) are succeptible to SSRF (Server-Side Request Forgery) when executing the `createMediaItem` Mutation. \n\nAuthenticated users making GraphQL requests that execute the `createMediaItem` could pass executable paths in the mutations `filePath` argument that could give them unwarranted access to the server. \n\nIt\u0027s recommended to update to WPGraphQL v1.14.6 or newer. If you\u0027re unable to do so, below is a snippet you can add to your functions.php (or similar) that filters the `createMediaItem` mutation\u0027s resolver. \n\n### Patches\n\n- [v1.14.6](https://github.com/wp-graphql/wp-graphql/releases/tag/v1.14.6)\n- https://github.com/wp-graphql/wp-graphql/pull/2840\n\n### Workarounds\nIf you\u0027re unable to upgrade to v1.14.6 or higher, you should be able to use the following snippet in your functions.php to override the vulnerable resolver. \n\nThis snippet has been tested as far back as WPGraphQL v0.15\n\n```php\nadd_filter( \u0027graphql_pre_resolve_field\u0027, function( $nil, $source, $args, $context, \\GraphQL\\Type\\Definition\\ResolveInfo $info, $type_name, $field_key, $field, $field_resolver ) {\n\n\tif ( $info-\u003efieldName !== \u0027createMediaItem\u0027 ) {\n\t\treturn $nil;\n\t}\n\n\t$input = $args[\u0027input\u0027] ?? null;\n\n if ( ! isset( $input[\u0027filePath\u0027] ) ) {\n\t\treturn $nil;\n\t}\n\n\t$uploaded_file_url = $input[\u0027filePath\u0027];\n\n\t// Check that the filetype is allowed\n\t$check_file = wp_check_filetype( $uploaded_file_url );\n\n\t// if the file does not pass the check, throw an error\n\tif ( ! $check_file[\u0027ext\u0027] || ! $check_file[\u0027type\u0027] || ! wp_http_validate_url( $uploaded_file_url ) ) {\n\t\tthrow new \\GraphQL\\Error\\UserError( sprintf( __( \u0027Invalid filePath \"%s\"\u0027, \u0027wp-graphql\u0027 ), $input[\u0027filePath\u0027] ) );\n\t}\n\n\t$protocol = wp_parse_url( $input[\u0027filePath\u0027], PHP_URL_SCHEME );\n\n\t// prevent the filePath from being submitted with a non-allowed protocols\n\t$allowed_protocols = [ \u0027https\u0027, \u0027http\u0027, \u0027file\u0027 ];\n\n\tif ( ! in_array( $protocol, $allowed_protocols, true ) ) {\n\t\tthrow new \\GraphQL\\Error\\UserError( sprintf( __( \u0027Invalid protocol. \"%1$s\". Only \"%2$s\" allowed.\u0027, \u0027wp-graphql\u0027 ), $protocol, implode( \u0027\", \"\u0027, $allowed_protocols ) ) );\n\t}\n\n\treturn $nil;\n\n}, 10, 9 );\n```\n\n### References\n\n- https://patchstack.com/database/vulnerability/wp-graphql/wordpress-wp-graphql-plugin-1-14-5-server-side-request-forgery-ssrf-vulnerability \n",
"fixed_versions": [
"1.14.6"
],
"identifier": "CVE-2023-23684",
"identifiers": [
"GHSA-cfh4-7wq9-6pgg",
"CVE-2023-23684"
],
"not_impacted": "All versions after 1.14.5",
"package_slug": "packagist/wp-graphql/wp-graphql",
"pubdate": "2023-06-30",
"solution": "Upgrade to version 1.14.6 or above.",
"title": "WPGraphQL Plugin vulnerable to Server Side Request Forgery (SSRF)",
"urls": [
"https://github.com/wp-graphql/wp-graphql/security/advisories/GHSA-cfh4-7wq9-6pgg",
"https://github.com/wp-graphql/wp-graphql/pull/2840",
"https://github.com/wp-graphql/wp-graphql/releases/tag/v1.14.6",
"https://github.com/advisories/GHSA-cfh4-7wq9-6pgg"
],
"uuid": "8a210cc3-b0fd-4ce5-a224-22d2afd903c8"
}
]
},
"nvd.nist.gov": {
"cve": {
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wpengine:wpgraphql:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "5106F09D-5508-4BFB-96BF-862829C95E67",
"versionEndIncluding": "1.14.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Server-Side Request Forgery (SSRF) vulnerability in WPGraphQL.This issue affects WPGraphQL: from n/a through 1.14.5.\n\n"
},
{
"lang": "es",
"value": "Vulnerabilidad de Server-Side Request Forgery (SSRF) en WPGraphQL. Este problema afecta a WPGraphQL: desde n/a hasta 1.14.5."
}
],
"id": "CVE-2023-23684",
"lastModified": "2023-12-20T20:10:54.733",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.3,
"impactScore": 2.7,
"source": "audit@patchstack.com",
"type": "Secondary"
}
]
},
"published": "2023-11-13T03:15:07.993",
"references": [
{
"source": "audit@patchstack.com",
"tags": [
"Third Party Advisory"
],
"url": "https://patchstack.com/database/vulnerability/wp-graphql/wordpress-wp-graphql-plugin-1-14-5-server-side-request-forgery-ssrf-vulnerability?_s_id=cve"
}
],
"sourceIdentifier": "audit@patchstack.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-918"
}
],
"source": "audit@patchstack.com",
"type": "Secondary"
}
]
}
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…