References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to [email protected].

Known Affected Software Configurations Switch to CPE 2.2

Change History

OR
          *cpe:2.3:a:strawberry:strawberry_graphql:*:*:*:*:*:python:*:* versions up to (excluding) 0.312.3

GitHub, Inc.: https://github.com/strawberry-graphql/strawberry/security/advisories/GHSA-vpwc-v33q-mq89 Types: Vendor Advisory

Strawberry GraphQL is a library for creating GraphQL APIs. Strawberry up until version 0.312.3 is vulnerable to an authentication bypass on WebSocket subscription endpoints. The legacy graphql-ws subprotocol handler does not verify that a connection_init handshake has been completed before processing start (subscription) messages. This allows a remote attacker to skip the on_ws_connect authentication hook entirely by connecting with the graphql-ws subprotocol and sending a start message directly, without ever sending connection_init.  This vulnerability is fixed in 0.312.3.

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE-306

https://github.com/strawberry-graphql/strawberry/security/advisories/GHSA-vpwc-v33q-mq89