Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Strawberry GraphQL has a type resolution vulnerability
Vulnerability Description
Strawberry GraphQL is a library for creating GraphQL APIs. Starting in 0.182.0 and prior to version 0.257.0, a type confusion vulnerability exists in Strawberry GraphQL's relay integration that affects multiple ORM integrations (Django, SQLAlchemy, Pydantic). The vulnerability occurs when multiple GraphQL types are mapped to the same underlying model while using the relay node interface. When querying for a specific type using the global node field (e.g., FruitType:some-id), the resolver may incorrectly return an instance of a different type mapped to the same model (e.g., SpecialFruitType). This can lead to information disclosure if the alternate type exposes sensitive fields and potential privilege escalation if the alternate type contains data intended for restricted access. This vulnerability is fixed in 0.257.0.
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Vulnerability Type
使用不兼容类型访问资源(类型混淆)
Vulnerability Title
Strawberry GraphQL 安全漏洞
Vulnerability Description
Strawberry GraphQL是Strawberry GraphQL开源的一个利用类型注释的 Python GraphQL 库。 Strawberry GraphQL 0.182.0至0.257.0之前版本存在安全漏洞,该漏洞源于relay集成中的类型混淆,导致查询特定类型时可能错误返回不同类型的实例,引发信息泄露和潜在的权限提升。
CVSS Information
N/A
Vulnerability Type
N/A