Lucene search

[email protected]NVD:CVE-2019-1000011

HistoryFeb 04, 2019 - 9:29 p.m.

CVE-2019-1000011

2019-02-0421:29:01

[email protected]

web.nvd.nist.gov

CVSS2

5.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:N/I:P/A:P

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

AI Score

6.5

Confidence

High

EPSS

0.001

Percentile

23.7%

JSON

API Platform version from 2.2.0 to 2.3.5 contains an Incorrect Access Control vulnerability in GraphQL delete mutations that can result in a user authorized to delete a resource can delete any resource. This attack appears to be exploitable via the user must be authorized. This vulnerability appears to have been fixed in 2.3.6.

Affected configurations

Nvd

Node

api-platformcoreRange2.2.0–2.3.5

VendorProductVersionCPE
api-platformcore*cpe:2.3:a:api-platform:core:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
api-platform	core	*	cpe:2.3:a:api-platform:core::::::::

References

github.com/api-platform/core/issues/2364

github.com/api-platform/core/pull/2441

CVSS2

5.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:N/I:P/A:P

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

AI Score

6.5

Confidence

High

EPSS

0.001

Percentile

23.7%

JSON

Related for NVD:CVE-2019-1000011

cvelist1 prion1 osv2 friendsofphp2 cve1 gitlab1 github1