Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS03OWdwLXE0d3YtMzNmcs4AA_xi

Cross-Site Request Forgery (CSRF) in strawberry-graphql

Impact

Multipart file upload support as defined in the GraphQL multipart request specification was enabled by default in all Strawberry HTTP view integrations. This made all Strawberry HTTP view integrations vulnerable to CSRF attacks if users did not explicitly enable CSRF preventing security mechanism for their servers.
Additionally, the Django HTTP view integration, in particular, had an exemption for Django's built-in CSRF protection (i.e., the CsrfViewMiddleware middleware) by default.

In affect, all Strawberry integrations were vulnerable to CSRF attacks by default.

Patches

Version v0.243.0 is the first strawberry-graphql including a patch. Check out our documentation for additional details and upgrade instructions.

References

Credits

Permalink: https://github.com/advisories/GHSA-79gp-q4wv-33fr
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS03OWdwLXE0d3YtMzNmcs4AA_xi
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 2 months ago
Updated: about 2 months ago

CVSS Score: 4.6
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L

Identifiers: GHSA-79gp-q4wv-33fr, CVE-2024-47082
References:

Repository: https://github.com/strawberry-graphql/strawberry
Blast Radius: 11.6

Affected Packages

pypi:strawberry-graphql

Dependent packages: 60
Dependent repositories: 325
Downloads: 1,280,061 last month
Affected Version Ranges: < 0.243.0
Fixed in: 0.243.0
All affected versions: 0.1.0, 0.2.0, 0.2.1, 0.2.2, 0.3.0, 0.3.1, 0.3.2, 0.4.0, 0.5.0, 0.5.1, 0.5.2, 0.5.3, 0.5.4, 0.5.5, 0.5.6, 0.6.0, 0.7.0, 0.8.0, 0.9.0, 0.9.1, 0.10.0, 0.11.0, 0.12.0, 0.13.0, 0.13.1, 0.13.2, 0.13.3, 0.13.4, 0.14.0, 0.14.1, 0.14.2, 0.14.3, 0.14.4, 0.15.0, 0.15.1, 0.15.2, 0.15.3, 0.15.4, 0.15.5, 0.15.6, 0.16.0, 0.16.1, 0.16.2, 0.16.3, 0.16.4, 0.16.5, 0.16.6, 0.16.7, 0.16.8, 0.16.9, 0.16.10, 0.17.0, 0.18.0, 0.18.1, 0.18.2, 0.18.3, 0.19.0, 0.19.1, 0.20.0, 0.20.1, 0.20.2, 0.20.3, 0.21.0, 0.21.1, 0.22.0, 0.23.0, 0.23.1, 0.23.2, 0.23.3, 0.24.0, 0.24.1, 0.25.0, 0.25.1, 0.25.2, 0.25.3, 0.25.4, 0.25.5, 0.25.6, 0.26.0, 0.26.1, 0.26.2, 0.26.3, 0.27.0, 0.27.1, 0.27.2, 0.27.3, 0.27.4, 0.27.5, 0.28.0, 0.28.1, 0.28.2, 0.28.3, 0.28.4, 0.28.5, 0.29.0, 0.29.1, 0.30.0, 0.30.1, 0.31.0, 0.31.1, 0.32.0, 0.32.1, 0.32.2, 0.32.3, 0.32.4, 0.33.0, 0.33.1, 0.34.0, 0.34.1, 0.34.2, 0.35.0, 0.35.1, 0.35.2, 0.35.3, 0.35.4, 0.35.5, 0.36.0, 0.36.1, 0.36.2, 0.36.4, 0.37.0, 0.37.1, 0.37.2, 0.37.3, 0.37.4, 0.37.5, 0.37.6, 0.37.7, 0.38.0, 0.38.1, 0.39.0, 0.39.1, 0.39.2, 0.39.3, 0.39.4, 0.40.0, 0.40.1, 0.40.2, 0.41.0, 0.41.1, 0.42.0, 0.42.1, 0.42.2, 0.42.3, 0.42.4, 0.42.5, 0.42.6, 0.42.7, 0.43.0, 0.43.1, 0.43.2, 0.44.0, 0.44.1, 0.44.2, 0.44.3, 0.44.4, 0.44.5, 0.44.6, 0.44.7, 0.44.8, 0.44.9, 0.44.10, 0.44.11, 0.44.12, 0.45.0, 0.45.1, 0.45.2, 0.45.3, 0.45.4, 0.46.0, 0.47.0, 0.47.1, 0.48.0, 0.48.1, 0.48.2, 0.48.3, 0.49.0, 0.49.1, 0.49.2, 0.50.0, 0.50.1, 0.50.2, 0.50.3, 0.51.0, 0.51.1, 0.52.0, 0.52.1, 0.53.0, 0.53.1, 0.53.2, 0.53.3, 0.53.4, 0.54.0, 0.55.0, 0.56.0, 0.56.1, 0.56.2, 0.56.3, 0.57.0, 0.57.1, 0.57.2, 0.57.3, 0.57.4, 0.58.0, 0.59.0, 0.59.1, 0.60.0, 0.61.0, 0.61.1, 0.61.2, 0.61.3, 0.62.0, 0.62.1, 0.63.0, 0.63.1, 0.63.2, 0.64.0, 0.64.1, 0.64.2, 0.64.3, 0.64.4, 0.64.5, 0.65.0, 0.65.1, 0.65.2, 0.65.3, 0.65.4, 0.65.5, 0.66.0, 0.67.0, 0.67.1, 0.68.0, 0.68.1, 0.68.2, 0.68.3, 0.68.4, 0.69.0, 0.69.1, 0.69.2, 0.69.3, 0.69.4, 0.70.0, 0.70.1, 0.70.2, 0.70.3, 0.70.4, 0.71.0, 0.71.1, 0.71.2, 0.71.3, 0.72.0, 0.72.1, 0.72.2, 0.72.3, 0.73.0, 0.73.1, 0.73.2, 0.73.3, 0.73.4, 0.73.6, 0.73.7, 0.73.8, 0.73.9, 0.74.0, 0.74.1, 0.75.0, 0.75.1, 0.76.0, 0.76.1, 0.77.0, 0.77.1, 0.77.2, 0.77.3, 0.77.4, 0.77.5, 0.77.6, 0.77.7, 0.77.8, 0.77.9, 0.77.10, 0.77.11, 0.77.12, 0.78.0, 0.78.1, 0.78.2, 0.79.0, 0.80.0, 0.80.1, 0.80.2, 0.81.0, 0.82.0, 0.82.1, 0.82.2, 0.83.0, 0.83.1, 0.83.2, 0.83.3, 0.83.4, 0.83.5, 0.83.6, 0.84.0, 0.84.1, 0.84.2, 0.84.3, 0.84.4, 0.85.0, 0.85.1, 0.86.0, 0.86.1, 0.87.0, 0.87.1, 0.87.2, 0.87.3, 0.88.0, 0.89.0, 0.89.1, 0.89.2, 0.90.0, 0.90.1, 0.90.2, 0.90.3, 0.91.0, 0.92.0, 0.92.1, 0.92.2, 0.93.0, 0.93.1, 0.93.2, 0.93.3, 0.93.4, 0.93.5, 0.93.6, 0.93.7, 0.93.8, 0.93.9, 0.93.10, 0.93.11, 0.93.12, 0.93.13, 0.93.14, 0.93.15, 0.93.16, 0.93.17, 0.93.18, 0.93.19, 0.93.20, 0.93.21, 0.93.22, 0.93.23, 0.94.0, 0.95.0, 0.95.1, 0.95.2, 0.95.3, 0.95.4, 0.95.5, 0.96.0, 0.97.0, 0.98.0, 0.98.2, 0.99.0, 0.99.1, 0.99.2, 0.99.3, 0.100.0, 0.101.0, 0.102.0, 0.102.1, 0.102.2, 0.102.3, 0.103.0, 0.103.1, 0.103.2, 0.103.3, 0.103.4, 0.103.5, 0.103.6, 0.103.7, 0.103.8, 0.103.9, 0.104.0, 0.104.1, 0.104.2, 0.104.3, 0.104.4, 0.105.0, 0.105.1, 0.106.0, 0.106.1, 0.106.2, 0.106.3, 0.107.0, 0.107.1, 0.108.0, 0.108.1, 0.108.2, 0.108.3, 0.109.0, 0.109.1, 0.110.0, 0.111.0, 0.111.1, 0.111.2, 0.112.0, 0.113.0, 0.114.0, 0.114.1, 0.114.2, 0.114.3, 0.114.4, 0.114.5, 0.114.6, 0.114.7, 0.115.0, 0.116.0, 0.116.1, 0.116.2, 0.116.3, 0.116.4, 0.117.0, 0.117.1, 0.118.0, 0.118.1, 0.118.2, 0.119.0, 0.119.1, 0.119.2, 0.120.0, 0.121.0, 0.121.1, 0.122.0, 0.122.1, 0.123.0, 0.123.1, 0.123.2, 0.123.3, 0.124.0, 0.125.0, 0.125.1, 0.126.0, 0.126.1, 0.126.2, 0.127.0, 0.127.1, 0.127.2, 0.127.3, 0.127.4, 0.128.0, 0.129.0, 0.130.0, 0.130.1, 0.130.2, 0.130.3, 0.130.4, 0.131.0, 0.131.1, 0.131.2, 0.131.3, 0.131.4, 0.131.5, 0.132.0, 0.132.1, 0.133.0, 0.133.1, 0.133.2, 0.133.3, 0.133.4, 0.133.5, 0.133.6, 0.133.7, 0.134.0, 0.134.1, 0.134.2, 0.134.3, 0.134.4, 0.134.5, 0.135.0, 0.136.0, 0.137.0, 0.137.1, 0.138.0, 0.138.1, 0.138.2, 0.139.0, 0.140.0, 0.140.1, 0.140.2, 0.140.3, 0.141.0, 0.142.0, 0.142.1, 0.142.2, 0.142.3, 0.143.0, 0.144.0, 0.144.1, 0.144.2, 0.144.3, 0.145.0, 0.146.0, 0.147.0, 0.148.0, 0.149.0, 0.149.1, 0.149.2, 0.150.0, 0.150.1, 0.151.0, 0.151.1, 0.151.2, 0.151.3, 0.152.0, 0.153.0, 0.154.0, 0.154.1, 0.155.0, 0.155.1, 0.155.2, 0.155.3, 0.155.4, 0.156.0, 0.156.1, 0.156.2, 0.156.3, 0.156.4, 0.157.0, 0.158.0, 0.158.1, 0.158.2, 0.159.0, 0.159.1, 0.160.0, 0.161.0, 0.161.1, 0.162.0, 0.163.0, 0.163.1, 0.163.2, 0.164.0, 0.164.1, 0.165.0, 0.165.1, 0.166.0, 0.167.0, 0.167.1, 0.168.0, 0.168.1, 0.168.2, 0.169.0, 0.170.0, 0.171.0, 0.171.1, 0.171.2, 0.171.3, 0.172.0, 0.173.0, 0.173.1, 0.174.0, 0.175.0, 0.175.1, 0.176.0, 0.176.1, 0.176.2, 0.176.3, 0.176.4, 0.177.0, 0.177.1, 0.177.2, 0.177.3, 0.178.0, 0.178.1, 0.178.2, 0.178.3, 0.179.0, 0.180.0, 0.180.1, 0.180.2, 0.180.3, 0.180.4, 0.180.5, 0.181.0, 0.182.0, 0.183.0, 0.183.1, 0.183.2, 0.183.3, 0.183.4, 0.183.5, 0.183.6, 0.183.7, 0.183.8, 0.184.0, 0.184.1, 0.185.0, 0.185.1, 0.185.2, 0.186.0, 0.186.1, 0.186.2, 0.186.3, 0.187.0, 0.187.1, 0.187.2, 0.187.3, 0.187.4, 0.187.5, 0.188.0, 0.189.0, 0.189.1, 0.189.2, 0.189.3, 0.190.0, 0.192.0, 0.192.1, 0.192.2, 0.193.0, 0.193.1, 0.194.0, 0.194.1, 0.194.2, 0.194.3, 0.194.4, 0.195.0, 0.195.1, 0.195.2, 0.195.3, 0.196.0, 0.196.1, 0.196.2, 0.197.0, 0.198.0, 0.199.0, 0.199.1, 0.199.2, 0.199.3, 0.200.0, 0.201.0, 0.201.1, 0.202.0, 0.202.1, 0.203.0, 0.203.1, 0.203.2, 0.203.3, 0.204.0, 0.205.0, 0.206.0, 0.207.0, 0.207.1, 0.208.0, 0.208.1, 0.208.2, 0.208.3, 0.209.0, 0.209.1, 0.209.2, 0.209.3, 0.209.4, 0.209.5, 0.209.6, 0.209.7, 0.209.8, 0.210.0, 0.211.0, 0.211.1, 0.211.2, 0.212.0, 0.213.0, 0.214.0, 0.215.0, 0.215.1, 0.215.2, 0.215.3, 0.216.0, 0.216.1, 0.217.0, 0.217.1, 0.218.0, 0.218.1, 0.219.0, 0.219.1, 0.219.2, 0.220.0, 0.221.0, 0.221.1, 0.222.0, 0.223.0, 0.224.0, 0.224.1, 0.224.2, 0.225.0, 0.225.1, 0.226.0, 0.226.1, 0.226.2, 0.227.0, 0.227.1, 0.227.2, 0.227.3, 0.227.4, 0.227.5, 0.227.6, 0.227.7, 0.228.0, 0.229.0, 0.229.1, 0.229.2, 0.230.0, 0.231.0, 0.231.1, 0.232.0, 0.232.1, 0.232.2, 0.233.0, 0.233.1, 0.233.2, 0.233.3, 0.234.0, 0.234.1, 0.234.2, 0.234.3, 0.235.0, 0.235.1, 0.235.2, 0.236.0, 0.236.1, 0.236.2, 0.237.0, 0.237.1, 0.237.2, 0.237.3, 0.238.0, 0.238.1, 0.239.0, 0.239.1, 0.239.2, 0.240.0, 0.240.1, 0.240.2, 0.240.3, 0.240.4, 0.241.0, 0.242.0
All unaffected versions: 0.243.0, 0.243.1, 0.244.0, 0.244.1, 0.245.0, 0.246.0, 0.246.1, 0.246.2, 0.246.3, 0.247.0