216.73.216.204

CVE-2024-47082

· Published 25/09/2024 18:15 · Modified 01/10/2024 20:01

Labels: CVE-2024-47082 2024-09-25CVE-2024-47082CWE-352[email protected]

Essential information

Published
25/09/2024 18:15
Modified
01/10/2024 20:01
Author
Creator
CVSS
8.0 HIGH (v3.1)
CISA KEV
No
CWE
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

CVSS metrics

Description

Strawberry GraphQL is a library for creating GraphQL APIs. Prior to version 0.243.0, multipart file upload support as defined in the GraphQL multipart request specification was enabled by default in all Strawberry HTTP view integrations. This made all Strawberry HTTP view integrations vulnerable to cross-site request forgery (CSRF) attacks if users did not explicitly enable CSRF preventing security mechanism for their servers. Additionally, the Django HTTP view integration, in particular, had an exemption for Django's built-in CSRF protection (i.e., the `CsrfViewMiddleware` middleware) by default. In affect, all Strawberry integrations were vulnerable to CSRF attacks by default. Version `v0.243.0` is the first `strawberry-graphql` including a patch.

NVD status

Status
Analyzed — CVE has had analysis completed and all data associations made.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
strawberryrocks / strawberry cpe:2.3:a:strawberryrocks:strawberry:*:*:*:*:*:*:*:*

References