Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
osvGoogleOSV:GHSA-CFH4-7WQ9-6PGG
HistoryJun 30, 2023 - 8:35 p.m.

WPGraphQL Plugin vulnerable to Server Side Request Forgery (SSRF)

2023-06-3020:35:37
Google
osv.dev
18
wpgraphql
ssrf
server-side request forgery
vulnerability
mediaitem
security patch
update
functions.php
graphql

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

EPSS

0.001

Percentile

18.1%

JSON

Impact

Users with capabilities to upload media (editors and above) are succeptible to SSRF (Server-Side Request Forgery) when executing the createMediaItem Mutation.

Authenticated users making GraphQL requests that execute the createMediaItem could pass executable paths in the mutations filePath argument that could give them unwarranted access to the server.

It’s recommended to update to WPGraphQL v1.14.6 or newer. If you’re unable to do so, below is a snippet you can add to your functions.php (or similar) that filters the createMediaItem mutation’s resolver.

Patches

Workarounds

If you’re unable to upgrade to v1.14.6 or higher, you should be able to use the following snippet in your functions.php to override the vulnerable resolver.

This snippet has been tested as far back as WPGraphQL v0.15

add_filter( 'graphql_pre_resolve_field', function( $nil, $source, $args, $context, \GraphQL\Type\Definition\ResolveInfo $info, $type_name, $field_key, $field, $field_resolver ) {

	if ( $info->fieldName !== 'createMediaItem' ) {
		return $nil;
	}

	$input = $args['input'] ?? null;

        if ( ! isset( $input['filePath'] ) ) {
		return $nil;
	}

	$uploaded_file_url   = $input['filePath'];

	// Check that the filetype is allowed
	$check_file = wp_check_filetype( $uploaded_file_url );

	// if the file doesn't pass the check, throw an error
	if ( ! $check_file['ext'] || ! $check_file['type'] || ! wp_http_validate_url( $uploaded_file_url ) ) {
		throw new \GraphQL\Error\UserError( sprintf( __( 'Invalid filePath "%s"', 'wp-graphql' ), $input['filePath'] ) );
	}

	$protocol = wp_parse_url( $input['filePath'], PHP_URL_SCHEME );

	// prevent the filePath from being submitted with a non-allowed protocols
	$allowed_protocols = [ 'https', 'http', 'file' ];

	if ( ! in_array( $protocol, $allowed_protocols, true ) ) {
		throw new \GraphQL\Error\UserError( sprintf( __( 'Invalid protocol. "%1$s". Only "%2$s" allowed.', 'wp-graphql' ), $protocol, implode( '", "', $allowed_protocols ) ) );
	}

	return $nil;

}, 10, 9 );

References

Related

cvelist 1
osv 1
prion 1
github 1
nvd 1
veracode 1
cve 1
wordfence 1
cvelist
cvelist
CVE-2023-23684 WordPress WPGraphQL Plugin <= 1.14.5 is vulnerable to Server Side Request Forgery (SSRF)
2023-11-13 03:01:23
osv
osv
CVE-2023-23684
2023-11-13 03:15:07
prion
prion
Server side request forgery (ssrf)
2023-11-13 03:15:00
github
github
WPGraphQL Plugin vulnerable to Server Side Request Forgery (SSRF)
2023-06-30 20:35:37
nvd
nvd
CVE-2023-23684
2023-11-13 03:15:07
veracode
veracode
Server Side Request Forgery (SSRF)
2023-07-09 14:16:53
cve
cve
CVE-2023-23684
2023-11-13 03:15:07
wordfence
wordfence
Wordfence Intelligence Weekly WordPress Vulnerability Report (June 26, 2023 to July 2, 2023)
2023-07-06 12:58:56

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

EPSS

0.001

Percentile

18.1%

JSON
Related for OSV:GHSA-CFH4-7WQ9-6PGG
cvelist1osv1prion1github1nvd1veracode1cve1wordfence1