Описание
Authorization Bypass in graphql-shield
Versions of graphql-shield prior to 6.0.6 are vulnerable to an Authorization Bypass. The rule caching option no_cache relies on keys generated by cryptographically insecure functions, which may cause rules to be incorrectly cached. This allows attackers to access information they should not have access to in case of a key collision.
Recommendation
Upgrade to version 6.0.6 or later.
Пакеты
Наименование
graphql-shield
npm
Затронутые версииВерсия исправления
< 6.0.6
6.0.6
Дефекты
CWE-285
Дефекты
CWE-285