CVE-2022-39382

Keystone is a headless CMS for Node.js — built with GraphQL and React.@keystone-6/[email protected] || 3.0.1 users that use NODEENV to trigger security-sensitive functionality in their production builds are vulnerable to NODEENV being inlined to "development" for user code, irrespective of what your...

Improper Access Control

@keystone-6/core is vulnerable to Improper Access Control. The vulnerability exists when the ui.isAccessAllowed parameter in the KeystoneMeta function of adminMetaSchema.ts is set as undefined, which allows an attacker to access the admin meta GraphQL query if the session strategy is not defined...

GHSA-9CVC-V7WM-992C When `ui.isAccessAllowed` is `undefined`, the `adminMeta` GraphQL query is publicly accessible

Summary When ui.isAccessAllowed is undefined, the adminMeta GraphQL query is publicly accessible, that is to say, no session is required for the query. This is different to the behaviour of the default AdminUI middleware, which by default will only be publicly accessible if a session strategy is...

CVE-2023-40027 Conditionally missing authorization in @keystone-6/core

Keystone is an open source headless CMS for Node.js — built with GraphQL and React. When ui.isAccessAllowed is set as undefined, the adminMeta GraphQL query is publicly accessible no session required. This is different to the behaviour of the default AdminUI middleware, which by default will only...

CVE-2023-40027 Conditionally missing authorization in @keystone-6/core

Keystone is an open source headless CMS for Node.js — built with GraphQL and React. When ui.isAccessAllowed is set as undefined, the adminMeta GraphQL query is publicly accessible no session required. This is different to the behaviour of the default AdminUI middleware, which by default will only...

Remote Code Execution

@keystone-6/core is vulnerable to remote code execution. The use of NODEENV not in dependencies triggers the security-sensitive functionality in a production build, which makes it vulnerable to NODEENV being inlined to development for user code...

CVE-2022-39382 NODE_ENV in Keystone defaults to development with esbuild

Keystone is a headless CMS for Node.js — built with GraphQL and React.@keystone-6/[email protected] || 3.0.1 users that use NODEENV to trigger security-sensitive functionality in their production builds are vulnerable to NODEENV being inlined to "development" for user code, irrespective of what your...

CVE-2022-39322 @keystone-6/core vulnerable to field-level access-control bypass for multiselect field

@keystone-6/core is a core package for Keystone 6, a content management system for Node.js. Starting with version 2.2.0 and prior to version 2.3.1, users who expected their multiselect fields to use the field-level access control - if configured - are vulnerable to their field-level access contro...