Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Authentication bypass in strawberry-graphql via legacy graphql-ws WebSocket subprotocol
Vulnerability Description
Strawberry GraphQL is a library for creating GraphQL APIs. Strawberry up until version 0.312.3 is vulnerable to an authentication bypass on WebSocket subscription endpoints. The legacy graphql-ws subprotocol handler does not verify that a connection_init handshake has been completed before processing start (subscription) messages. This allows a remote attacker to skip the on_ws_connect authentication hook entirely by connecting with the graphql-ws subprotocol and sending a start message directly, without ever sending connection_init. This vulnerability is fixed in 0.312.3.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Vulnerability Type
关键功能的认证机制缺失
Vulnerability Title
Strawberry GraphQL 访问控制错误漏洞
Vulnerability Description
Strawberry GraphQL是Strawberry GraphQL开源的一个利用类型注释的 Python GraphQL 库。 Strawberry GraphQL 0.312.3之前版本存在访问控制错误漏洞,该漏洞源于WebSocket订阅端点身份验证绕过,可能导致远程攻击者通过graphql-ws子协议跳过身份验证钩子。
CVSS Information
N/A
Vulnerability Type
N/A