Impact
Some GraphQL mutations were not properly checking the ID type input which allowed to access database objects that the authenticated user may not be allowed to access.
Affects Saleor >= 2.0.0, breakdown:
accountSetDefaultAddress >= 2.6.0 (2b63e12)
accountAddressDelete >= 2.9.0 (ad1b899)
addressDelete >= 2.6.0 (2b63e12)
productVariantBulkCreate >= 2.9.0 (d5fae21)
assignNavigation >= 2.0.0 (273867b)
This vulnerability can be used to expose the following information:
- Estimating database row counts from tables with a sequential primary key
- Exposing staff user and customer email addresses and full name through the
assignNavigation() mutation
| Mutation Name |
Required Privileges |
Effect |
accountSetDefaultAddress |
Authenticated User |
Request is rejected with error message:
The address doesn't belong to that user
|
accountAddressDelete |
Authenticated User or MANAGE_USERS |
- Crashes with error message for staff user with manage user permission:
'User' object has no attribute 'user_addresses'
- Authenticated User: request is rejected with message:
You need one of the following permissions: MANAGE_USERS, OWNER
|
addressDelete |
MANAGE_USERS |
Crash with error message:
'User' object has no attribute 'user_addresses'
|
productVariantBulkCreate |
MANAGE_PRODUCTS |
Crash with error message:
'User' object has no attribute 'variants'
|
assignNavigation |
MANAGE_MENUS or MANAGE_SETTINGS |
Crash leaking object Python representation, address ID leak the user's full name. Error message:
Cannot assign \"<Address: John Doe>\": \"SiteSettings.top_menu\" must be a \"Menu\" instance.
|
Patches
Workarounds
None
References
None
For more information
If you have any questions or comments about this advisory:
Impact
Some GraphQL mutations were not properly checking the ID type input which allowed to access database objects that the authenticated user may not be allowed to access.
Affects Saleor >= 2.0.0, breakdown:
accountSetDefaultAddress>= 2.6.0 (2b63e12)accountAddressDelete>= 2.9.0 (ad1b899)addressDelete>= 2.6.0 (2b63e12)productVariantBulkCreate>= 2.9.0 (d5fae21)assignNavigation>= 2.0.0 (273867b)This vulnerability can be used to expose the following information:
assignNavigation()mutationaccountSetDefaultAddressThe address doesn't belong to that useraccountAddressDeleteMANAGE_USERS'User' object has no attribute 'user_addresses'You need one of the following permissions: MANAGE_USERS, OWNERaddressDeleteMANAGE_USERS'User' object has no attribute 'user_addresses'productVariantBulkCreateMANAGE_PRODUCTS'User' object has no attribute 'variants'assignNavigationMANAGE_MENUSorMANAGE_SETTINGSCannot assign \"<Address: John Doe>\": \"SiteSettings.top_menu\" must be a \"Menu\" instance.Patches
Workarounds
None
References
None
For more information
If you have any questions or comments about this advisory: