CVE-2022-39275

CVSS V2 None CVSS V3 Medium 4.3
Description
Saleor is a headless, GraphQL commerce platform. In affected versions some GraphQL mutations were not properly checking the ID type input which allowed to access database objects that the authenticated user may not be allowed to access. This vulnerability can be used to expose the following information: Estimating database row counts from tables with a sequential primary key or Exposing staff user and customer email addresses and full name through the `assignNavigation()` mutation. This issue has been patched in main and backported to multiple releases (3.7.17, 3.6.18, 3.5.23, 3.4.24, 3.3.26, 3.2.14, 3.1.24). Users are advised to upgrade. There are no known workarounds for this issue.
Overview
  • CVE ID
  • CVE-2022-39275
  • Assigner
  • security-advisories@github.com
  • Vulnerability Status
  • Analyzed
  • Published Version
  • 2022-10-06T18:16:17
  • Last Modified Date
  • 2023-01-23T13:52:56
Weakness Enumerations
CWE URL
CWE-863 http://cwe.mitre.org/data/definitions/863.html
CWE-20 http://cwe.mitre.org/data/definitions/20.html
CPE Configuration (Product)
CPE Vulnerable Operator Version Start Version End
cpe:2.3:a:saleor:saleor:*:*:*:*:*:*:*:* 1 OR 2.0.0 3.1.24
cpe:2.3:a:saleor:saleor:*:*:*:*:*:*:*:* 1 OR 3.2.0 3.2.14
cpe:2.3:a:saleor:saleor:*:*:*:*:*:*:*:* 1 OR 3.3.0 3.3.26
cpe:2.3:a:saleor:saleor:*:*:*:*:*:*:*:* 1 OR 3.4.0 3.4.24
cpe:2.3:a:saleor:saleor:*:*:*:*:*:*:*:* 1 OR 3.5.0 3.5.23
cpe:2.3:a:saleor:saleor:*:*:*:*:*:*:*:* 1 OR 3.6.0 3.6.18
cpe:2.3:a:saleor:saleor:*:*:*:*:*:*:*:* 1 OR 3.7.0 3.7.17
CVSS Version 3
  • Version
  • 3.1
  • Vector String
  • CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
  • Attack Vector
  • NETWORK
  • Attack Compatibility
  • LOW
  • Privileges Required
  • LOW
  • User Interaction
  • NONE
  • Scope
  • UNCHANGED
  • Confidentiality Impact
  • LOW
  • Availability Impact
  • NONE
  • Base Score
  • 4.3
  • Base Severity
  • MEDIUM
  • Exploitability Score
  • 2.8
  • Impact Score
  • 1.4
References
Reference URL Reference Tags
https://github.com/saleor/saleor/security/advisories/GHSA-xhq8-8c5v-w8ff
https://github.com/saleor/saleor/commit/96e04c092ddcac17b14f2e31554aa02d9006d0ce
Sources
Source Name Source URL
NIST https://nvd.nist.gov/vuln/detail/CVE-2022-39275
MITRE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39275
History
Created Old Value New Value Data Type Notes
2022-10-06 19:00:57 Added to TrackCVE
2022-12-07 05:34:45 2022-10-06T18:16Z 2022-10-06T18:16:17 CVE Published Date updated
2022-12-07 05:34:45 2022-11-16T03:09:58 CVE Modified Date updated
2022-12-07 05:34:45 Analyzed Vulnerability Status updated
2023-01-19 15:12:23 Analyzed Undergoing Analysis Vulnerability Status updated
2023-01-19 15:12:24 Weakness Enumeration update
2023-01-23 15:13:26 2023-01-23T13:52:56 CVE Modified Date updated
2023-01-23 15:13:26 Undergoing Analysis Analyzed Vulnerability Status updated