"Ricochet was very impressive with their knowledge, abilities and professionalism. We never ran into a technological roadblock or problem that couldn't be solved. They were able to offer new, cutting-edge solutions around every corner, and they were fantastic about staying in communication. It seemed like we were always able to get ahold of someone, whether it was Tuesday at 1am or Saturday at 7am, someone was quick to respond and help address an emergency or even a simple inquiry. Truly professional service, and quality work.
—Jacob Sowinski, Blue Canvas

GraphQL - Moderately critical - Access bypass - SA-CONTRIB-2023-050

Wed, 2023-11-08 07:30 — Anonymous (not verified)

Project: GraphQLDate: 2023-November-08Security risk: Moderately critical 11∕25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:UncommonVulnerability: Access bypassAffected versions: <3.4.0 || >=4.0.0 <4.6.0Description: This module lets you craft and expose a GraphQL schema for Drupal 9 and 10.
The module currently does not adequately verify whether a given user has the necessary permissions to access an entity's label creating an access bypass vulnerability.
This vulnerability is mitigated by the fact that entity view and entity label access are usually handled by the same access check; developers have to opt-in for supporting different logic on entity types. Additionally your schema must make use of the EntityLabel DataProducer to be affected.Solution: Install the latest version:

If you use the GraphQL module v4 upgrade to GraphQL 8.x-4.6
If you use the GraphQL module v3 upgrade to GraphQL 8.x-3.4

Reported By:

Dezső Biczó

Fixed By:

Coordinated By:

Greg Knaddison of the Drupal Security Team

Path to article https://www.drupal.org/sa-contrib-2023-050

Search form

GraphQL - Moderately critical - Access bypass - SA-CONTRIB-2023-050