HackerOne: Unauthenticated users can obtain information about Checklist objects with unclaimed ChecklistCheck objects

The Checklist objects that can be queried through GraphQL are supposed to only be accessible by program members, the users who claimed or responded to a check belonging to a checklist, and HackerOne Pentesters. The Checklist object is also supposed to be in the running state e.g. when the platfor...

HackerOne: HackerOne Pentesters can access any structured scope object through GraphQL node interface

A missing authorization check in the StructuredScope protector class app/protectors/protectedstructuredscope.rb:42 enables any HackerOne Pentester to access structured scope objects of programs they aren't invited to or aren't running a penetration test through HackerOne. ruby class...

New Relic: Restricted user can update Apdex target for applications by leveraging the GraphQL mutation

Hey team, I've found that Restricted user can update Apdex target for applications by leveraging the GraphQL mutation which doesn't properly implement authorization. Steps to reproduce 1 Sign in NR with Restricted user 2 Navigate to https://api.newrelic.com/graphiql, intercept the request to...

HackerOne: Unauthorized user can obtain `report_sources` attribute through Team GraphQL object

Summary: Hi team. And Happy New Year! Description: If I am not mistaken, then through this parameter we can define private programs with an external link. If this parameter is not empty, then the program is private. - "HackerOne Platform" Steps To Reproduce https://hackerone.com/graphql POST:...

FreeBSD : Gitlab -- Multiple Vulnerabilities (01bde18a-2e09-11ea-a935-001b217b3468)

SO-AND-SO reports : Group Maintainers Can Update/Delete Group Runners Using API GraphQL Queries Can Hang the Application Unauthorized Users Have Access to Milestones of Releases Private Group Name Revealed Through Protected Tags API Users Can Publish Reviews on Locked Merge Requests DoS in the...

Gitlab -- Multiple Vulnerabilities

The GitLab Team reports: Group Maintainers Can Update/Delete Group Runners Using API GraphQL Queries Can Hang the Application Unauthorized Users Have Access to Milestones of Releases Private Group Name Revealed Through Protected Tags API Users Can Publish Reviews on Locked Merge Requests DoS in t...

New Relic: Restricted user can remove NerdStorage documents/collections scoped to ACCOUNT or ENTITY

Hey team, I've found that the Restricted user can remove both documents and whole collections of NerdStorage documents which are scoped to ACCOUNT and ENTITY. I don't know if this is a vulnerability or not, but I think it would be better for you to discuss this internally. According to docs, if a...

New Relic: Cross-account reading of Insights dashboards through GraphQL

@skavans identified a GraphQL query lacking validation. This had the potential to return a subset of Insights dashboards in target accounts...

HackerOne: profile-picture name parameter with large value lead to DoS for other users and programs on the platform

Summary: The issue persists as there are no text limitations for profile-picture name while uploading the profile-picture, these heavy text names can cause denial of service on different pages of hackerone. Description: I was checking the profile picture upload feature of hackerone and found out...

Information Exposure

Overview Versions of type-graphql prior to 0.17.6 are vulnerable to Information Exposure. The package leaks the resolver source code in an error message. It is possible to force this error when no subscription topics are provided in the request. Recommendation Upgrade to version 0.17.6 or later...

GitLab: Guest users can change the confidentiality attribute on those issues that have been assigned to them

Summary A user with no association to a project nor group can use a mutation GraphQL query to change the confidentiality on those issues where they have been previously assigned. This functionality is restricted to those users which have been granted access to a project and hold at least the...

CVE-2019-15576

An information disclosure vulnerability exists in GitLab CE/EE v12.3.2, v12.2.6, and v12.1.12 that allowed an attacker to view private system notes from a GraphQL endpoint...

CVE-2019-15576

An information disclosure vulnerability exists in GitLab CE/EE v12.3.2, v12.2.6, and v12.1.12 that allowed an attacker to view private system notes from a GraphQL endpoint...

Information disclosure

An information disclosure vulnerability exists in GitLab CE/EE v12.3.2, v12.2.6, and v12.1.12 that allowed an attacker to view private system notes from a GraphQL endpoint...

CVE-2019-15576

An information disclosure vulnerability exists in GitLab CE/EE v12.3.2, v12.2.6, and v12.1.12 that allowed an attacker to view private system notes from a GraphQL endpoint...

CVE-2019-15576

An information disclosure vulnerability exists in GitLab CE/EE v12.3.2, v12.2.6, and v12.1.12 that allowed an attacker to view private system notes from a GraphQL endpoint...

CVE-2019-15576

Removed by vendor...

CVE-2019-15576

CVE-2019-15576 is an information disclosure vulnerability affecting GitLab CE/EE versions prior to 12.3.2, 12.2.6, and 12.1.12. The issue allows an attacker to view private system notes via a GraphQL endpoint. The root cause and exact vulnerable component are not explicitly detailed beyond versio...

GitLab Doles Out Half a Million Bucks to White Hats

GitLab has awarded a total of $565,650 in security bug bounties to 171 researchers who reported valid vulnerabilities in the past year — and has announced the winners of its latest hacking contest. GitLab, which started out as a web-based Git repository manager before moving into the DevOps...

GraphQL Batching Attack

There is a new attack surface when the app tech stack includes GraphQL. It's Batched Attacks on GraphQL APIs. How can these apps be protected? Read more to find out. The post GraphQL Batching Attack appeared first on Wallarm Blog...