GHSA-428Q-Q3VV-3FQ3 GraphQL grant on a property might be cached with different objects

Original message: I found an issue with security grants on on properties in the GraphQL ItemNormalizer: If you use something like ApiPropertysecurity: 'isgranted"PROPERTYREAD", object, property' on a member of an entity, the grant gets cached and is only evaluated once, even if the object in...

GraphQL grant on a property might be cached with different objects

Original message: I found an issue with security grants on on properties in the GraphQL ItemNormalizer: If you use something like ApiPropertysecurity: 'isgranted"PROPERTYREAD", object, property' on a member of an entity, the grant gets cached and is only evaluated once, even if the object in...

Incorrect Behavior Order

Overview api-platform/graphql is an API Platform GraphQL component. Affected versions of this package are vulnerable to Incorrect Behavior Order due to the ItemNormalizer::isCacheKeySafe method. An attacker can access sensitive information by exploiting the improper cache key generation. Workarou...

Incorrect Behavior Order

Overview api-platform/core is a builds a fully-featured hypermedia or GraphQL API in minutes. Affected versions of this package are vulnerable to Incorrect Behavior Order due to the ItemNormalizer::isCacheKeySafe method. An attacker can access sensitive information by exploiting the improper cach...