Lucene search

Veracode Vulnerability DatabaseVERACODE:42826

HistoryAug 17, 2023 - 2:30 a.m.

Improper Access Control

2023-08-1702:30:00

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

keystone-6/core

improper access control

adminmetaschema.ts

graphql query

session strategy

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

0.001 Low

EPSS

Percentile

20.8%

JSON

@keystone-6/core is vulnerable to Improper Access Control. The vulnerability exists when the ui.isAccessAllowed parameter in the KeystoneMeta function of adminMetaSchema.ts is set as undefined, which allows an attacker to access the admin meta GraphQL query if the session strategy is not defined.

CPENameOperatorVersion
@keystone-6/corele5.5.0
@keystone-6/corele5.5.0

CPE	Name	Operator	Version
	@keystone-6/core	le	5.5.0
	@keystone-6/core	le	5.5.0

References

github.com/keystonejs/keystone/commit/650e27e6e9b42abfb94c340c8470faf61f0ff284

github.com/keystonejs/keystone/pull/8771

github.com/keystonejs/keystone/security/advisories/GHSA-9cvc-v7wm-992c

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

0.001 Low

EPSS

Percentile

20.8%

JSON

Related for VERACODE:42826