Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWh4NzgtMjcycC1tcXFo
Authorization Bypass in graphql-shield
Versions of graphql-shield prior to 6.0.6 are vulnerable to an Authorization Bypass. The rule caching option no_cache relies on keys generated by cryptographically insecure functions, which may cause rules to be incorrectly cached. This allows attackers to access information they should not have access to in case of a key collision.
Recommendation
Upgrade to version 6.0.6 or later.
Permalink: https://github.com/advisories/GHSA-hx78-272p-mqqhJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWh4NzgtMjcycC1tcXFo
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Low
Classification: General
Published: over 3 years ago
Updated: over 1 year ago
Identifiers: GHSA-hx78-272p-mqqh
References: Blast Radius: 0.0
Affected Packages
npm:graphql-shield
Dependent packages: 73Dependent repositories: 813
Downloads: 559,767 last month
Affected Version Ranges: < 6.0.6
Fixed in: 6.0.6
All affected versions: 0.0.1, 0.0.2, 0.0.3, 0.0.4, 0.0.5, 0.0.6, 0.0.7, 0.0.8, 0.0.9, 0.1.0, 0.1.1, 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.0.6, 1.0.7, 1.0.8, 1.0.9, 1.1.0, 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.2.4, 1.2.5, 1.2.6, 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.0.6, 2.0.7, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.2.0, 2.2.1, 2.2.2, 2.2.3, 2.2.4, 2.2.5, 2.2.6, 2.2.7, 3.0.0, 3.0.1, 3.1.0, 3.1.1, 3.1.2, 3.2.0, 3.2.1, 3.2.2, 3.2.3, 3.2.4, 3.2.5, 4.0.0, 4.0.1, 4.1.0, 4.1.1, 4.1.2, 5.0.0, 5.0.1, 5.1.0, 5.1.1, 5.1.2, 5.1.3, 5.2.0, 5.3.0, 5.3.1, 5.3.2, 5.3.3, 5.3.4, 5.3.5, 5.3.6, 5.3.7, 5.3.8, 5.4.0, 5.5.0, 5.6.0, 5.6.1, 5.6.2, 5.7.0, 5.7.1, 5.7.2, 5.7.3, 6.0.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5
All unaffected versions: 6.0.6, 6.0.7, 6.1.0, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.12, 7.0.13, 7.0.14, 7.1.0, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.4.0, 7.4.1, 7.4.2, 7.4.3, 7.4.4, 7.5.0, 7.6.0, 7.6.1, 7.6.2, 7.6.3, 7.6.4, 7.6.5