Get a demo
100% Signal 0% Noise Invicti Logo - The Largest Dynamic Application Security Solutions Provider In The World Get a demo
Web Application Vulnerabilities Runtime SCA Findings
Looking for the vulnerability index of Invicti's legacy products?
Invicti Enterprise Acunetix Standard & Premium
Hasura GraphQL API without authentication - Vulnerability Database

Hasura GraphQL API without authentication

Description

Invicti determined that it was possible to access the Hasura GraphQL API without authentication. An unauthentication attacker may use this API to perform SSRF (Server-side request forgery) attacks.

Remediation

Restrict access to the Hasura GraphQL API by setting admin secret.

References

Server config examples

Related Vulnerabilities

SAP BO BIP SSRF (CVE-2020-6308) Medium
Common tags: Acumonitor SSRF
Oracle Weblogic T3 XXE (CVE-2019-2647) High
Common tags: Acumonitor SSRF
Paperclip gem SSRF (Server side request forgery) High
Common tags: Acumonitor SSRF
Reverse proxy misrouting High
Common tags: Acumonitor SSRF
Unvalidated JWT jku parameter High
Common tags: Acumonitor SSRF

Severity

Medium

Classification

CWE-200
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Tags

Acumonitor
SSRF