Lucene search

[email protected]CVE-2020-4038

HistoryJun 08, 2020 - 9:15 p.m.

CVE-2020-4038

2020-06-0821:15:09

CWE-79

[email protected]

web.nvd.nist.gov

cve-2020-4038

graphql playground

xss

reflection attack

npm package

security vulnerability

patch

middleware packages

nvd

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

7.4 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N

7 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

52.2%

JSON

GraphQL Playground (graphql-playground-html NPM package) before version 1.6.22 have a severe XSS Reflection attack vulnerability. All unsanitized user input passed into renderPlaygroundPage() method could trigger this vulnerability. This has been patched in graphql-playground-html version 1.6.22. Note that some of the associated dependent middleware packages are also affected including but not limited to graphql-playground-middleware-express before version 1.7.16, graphql-playground-middleware-koa before version 1.6.15, graphql-playground-middleware-lambda before version 1.7.17, and graphql-playground-middleware-hapi before 1.6.13.

Affected configurations

Vulners

NVD

Node

prisma-labsgraphql_playgroundRange<1.6.22

CPENameOperatorVersion
prisma:graphql-playground-htmlprisma graphql-playground-htmllt1.6.22
prisma:graphql-playground-middleware-expressprisma graphql-playground-middleware-expresslt1.7.16
prisma:graphql-playground-middleware-hapiprisma graphql-playground-middleware-hapilt1.6.13
prisma:graphql-playground-middleware-koaprisma graphql-playground-middleware-koalt1.6.15
prisma:graphql-playground-middleware-lambdaprisma graphql-playground-middleware-lambdalt1.7.17

CPE	Name	Operator	Version
prisma:graphql-playground-html	prisma graphql-playground-html	lt	1.6.22
prisma:graphql-playground-middleware-express	prisma graphql-playground-middleware-express	lt	1.7.16
prisma:graphql-playground-middleware-hapi	prisma graphql-playground-middleware-hapi	lt	1.6.13
prisma:graphql-playground-middleware-koa	prisma graphql-playground-middleware-koa	lt	1.6.15
prisma:graphql-playground-middleware-lambda	prisma graphql-playground-middleware-lambda	lt	1.7.17

CNA Affected

[
  {
    "product": "graphql-playground",
    "vendor": "prisma-labs",
    "versions": [
      {
        "status": "affected",
        "version": "< 1.6.22"
      }
    ]
  }
]

References

github.com/prisma-labs/graphql-playground#security-details

github.com/prisma-labs/graphql-playground/commit/bf1883db538c97b076801a60677733816cb3cfb7

github.com/prisma-labs/graphql-playground/security/advisories/GHSA-4852-vrh7-28rf

Social References

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

7.4 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N

7 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

52.2%

JSON

Related for CVE-2020-4038

veracode1 osv2 nvd1 prion1 cvelist1 github1