Vulnerability Description
API Platform version from 2.2.0 to 2.3.5 contains an Incorrect Access Control vulnerability in GraphQL delete mutations that can result in a user authorized to delete a resource can delete any resource. This attack appears to be exploitable via the user must be authorized. This vulnerability appears to have been fixed in 2.3.6.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Api-Platform | Core | >= 2.2.0, <= 2.3.5 |
References
- https://github.com/api-platform/core/issues/2364Issue TrackingThird Party Advisory
- https://github.com/api-platform/core/pull/2441Issue TrackingThird Party Advisory
- https://github.com/api-platform/core/issues/2364Issue TrackingThird Party Advisory
- https://github.com/api-platform/core/pull/2441Issue TrackingThird Party Advisory
FAQ
What is CVE-2019-1000011?
CVE-2019-1000011 is a vulnerability with a CVSS score of 6.5 (MEDIUM). API Platform version from 2.2.0 to 2.3.5 contains an Incorrect Access Control vulnerability in GraphQL delete mutations that can result in a user authorized to delete a resource can delete any resourc...
How severe is CVE-2019-1000011?
CVE-2019-1000011 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2019-1000011?
Check the references section above for vendor advisories and patch information. Affected products include: Api-Platform Core.