Vulnerability Description
Hasura GraphQL Engine before 2.15.2 mishandles row-level authorization in the Update Many API for Postgres backends. The fixed versions are 2.10.2, 2.11.3, 2.12.1, 2.13.2, 2.14.1, and 2.15.2. (Versions before 2.10.0 are unaffected.)
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Hasura | Graphql Engine | >= 2.10.0, < 2.10.2 |
Related Weaknesses (CWE)
References
- https://github.com/hasura/graphql-engine/security/advisories/GHSA-g7mj-g7f4-hgrgPatchThird Party Advisory
- https://groups.google.com/g/hasura-security-announce/c/kzK-uPAKGUUMailing ListPatchThird Party Advisory
- https://hasura.io/blog/critical-vulnerability-in-hasuras-graphql-engine-v2-10-0/MitigationVendor Advisory
- https://github.com/hasura/graphql-engine/security/advisories/GHSA-g7mj-g7f4-hgrgPatchThird Party Advisory
- https://groups.google.com/g/hasura-security-announce/c/kzK-uPAKGUUMailing ListPatchThird Party Advisory
- https://hasura.io/blog/critical-vulnerability-in-hasuras-graphql-engine-v2-10-0/MitigationVendor Advisory
FAQ
What is CVE-2022-46792?
CVE-2022-46792 is a vulnerability with a CVSS score of 8.8 (HIGH). Hasura GraphQL Engine before 2.15.2 mishandles row-level authorization in the Update Many API for Postgres backends. The fixed versions are 2.10.2, 2.11.3, 2.12.1, 2.13.2, 2.14.1, and 2.15.2. (Version...
How severe is CVE-2022-46792?
CVE-2022-46792 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-46792?
Check the references section above for vendor advisories and patch information. Affected products include: Hasura Graphql Engine.