漏洞信息
尽管我们使用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性,但请您根据实际情况进行核实和判断。
Vulnerability Title
Strawberry GraphQL has a type resolution vulnerability
Vulnerability Description
Strawberry GraphQL is a library for creating GraphQL APIs. Starting in 0.182.0 and prior to version 0.257.0, a type confusion vulnerability exists in Strawberry GraphQL's relay integration that affects multiple ORM integrations (Django, SQLAlchemy, Pydantic). The vulnerability occurs when multiple GraphQL types are mapped to the same underlying model while using the relay node interface. When querying for a specific type using the global node field (e.g., FruitType:some-id), the resolver may incorrectly return an instance of a different type mapped to the same model (e.g., SpecialFruitType). This can lead to information disclosure if the alternate type exposes sensitive fields and potential privilege escalation if the alternate type contains data intended for restricted access. This vulnerability is fixed in 0.257.0.
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Vulnerability Type
使用不兼容类型访问资源(类型混淆)
Vulnerability Title
Strawberry GraphQL 安全漏洞
Vulnerability Description
Strawberry GraphQL是Strawberry GraphQL开源的一个利用类型注释的 Python GraphQL 库。 Strawberry GraphQL 0.182.0至0.257.0之前版本存在安全漏洞,该漏洞源于relay集成中的类型混淆,导致查询特定类型时可能错误返回不同类型的实例,引发信息泄露和潜在的权限提升。
CVSS Information
N/A
Vulnerability Type
N/A