Security Notification
A Path Traversal security vulnerability has been recently discovered within the GraphQL Engine.
What we have done
We have patched versions 1.3, 2.11, 2.20, and 2.21-beta.
- v2.11.5
- v2.20.1
- v2.21.0-beta.1
- v1.3.4
What action do I need to take?
Hasura Cloud Projects: Projects running on Hasura Cloud were not vulnerable. No further action is needed unless you also self-host Hasura (see below).
Self-hosted Hasura Projects (Community Edition or Enterprise Edition): If your deployment is publicly exposed and not protected by a WAF or other HTTP protection layer, you may unset HASURA_GRAPHQL_CONSOLE_ASSETS_DIR, disable console for versions prior to 2.17.0, or update immediately to one of the fixed versions.
Details
Hasura Console is vulnerable to a Critical Path Enumeration vulnerability when configured to use Custom Assets. If your deployment sets HASURA_GRAPHQL_CONSOLE_ASSETS_DIR, then you may be vulnerable, as this leverages Haskell file capabilities which are vulnerable to enumeration. In order to be vulnerable, the following must be true:
- You must set HASURA_GRAPHQL_CONSOLE_ASSETS_DIR
- You have not disabled the console or are using version 2.17.0 or later
- Your system, is exposed to untrusted systems or users
- Your system does not have protections provided by a WAF, IPS, or webserver configuration that would block path traversal
It has been determined that this attack can be leveraged to recover the admin secret for the console and API.
If you have any questions or concerns, please do reach out to us at support@hasura.io.
Thank you,
The Hasura Cloud Team
Security Notification
A Path Traversal security vulnerability has been recently discovered within the GraphQL Engine.
What we have done
We have patched versions 1.3, 2.11, 2.20, and 2.21-beta.
What action do I need to take?
Hasura Cloud Projects: Projects running on Hasura Cloud were not vulnerable. No further action is needed unless you also self-host Hasura (see below).
Self-hosted Hasura Projects (Community Edition or Enterprise Edition): If your deployment is publicly exposed and not protected by a WAF or other HTTP protection layer, you may unset HASURA_GRAPHQL_CONSOLE_ASSETS_DIR, disable console for versions prior to 2.17.0, or update immediately to one of the fixed versions.
Details
Hasura Console is vulnerable to a Critical Path Enumeration vulnerability when configured to use Custom Assets. If your deployment sets HASURA_GRAPHQL_CONSOLE_ASSETS_DIR, then you may be vulnerable, as this leverages Haskell file capabilities which are vulnerable to enumeration. In order to be vulnerable, the following must be true:
It has been determined that this attack can be leveraged to recover the admin secret for the console and API.
If you have any questions or concerns, please do reach out to us at support@hasura.io.
Thank you,
The Hasura Cloud Team