Description

Strawberry GraphQL is a library for creating GraphQL APIs. Prior to version 0.243.0, multipart file upload support as defined in the GraphQL multipart request specification was enabled by default in all Strawberry HTTP view integrations. This made all Strawberry HTTP view integrations vulnerable to cross-site request forgery (CSRF) attacks if users did not explicitly enable CSRF preventing security mechanism for their servers. Additionally, the Django HTTP view integration, in particular, had an exemption for Django's built-in CSRF protection (i.e., the `CsrfViewMiddleware` middleware) by default. In affect, all Strawberry integrations were vulnerable to CSRF attacks by default. Version `v0.243.0` is the first `strawberry-graphql` including a patch.

INFO

Published Date :

2024-09-25T17:48:24.065Z

Last Modified :

2024-09-25T18:05:24.810Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2024-47082 vulnerability.

Vendors Products
Strawberryrocks
  • Strawberry
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2024-47082.

URL Resource
https://github.com/strawberry-graphql/strawberry/commit/37265b230e511480a9ceace492f9f6a484be1387 cve-icon cve-icon
https://github.com/strawberry-graphql/strawberry/security/advisories/GHSA-79gp-q4wv-33fr cve-icon cve-icon
https://strawberry.rocks/docs/breaking-changes/0.243.0 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact