Dcousens

**Name of the Vulnerable Software and Affected Versions** @keystone-6/core versions prior to 5.5.1 **Description** The issue arises when `ui.isAccessAllowed` is set as `undefined`, making the `adminMeta` GraphQL query publicly accessible without requiring a session. This behavior differs from the default AdminUI middleware, which only allows public access if a `session` strategy is not defined. The vulnerability affects users who rely on their `session` strategy to restrict public access to `adminMeta` by default, similar to the AdminUI middleware's behavior. It does not affect developers using the `@keystone-6/auth` package or those who have defined their own `ui.isAccessAllowed` functionality. **Recommendations** For versions prior to 5.5.1, upgrade to version 5.5.1 to resolve the issue. As a temporary workaround for users unable to upgrade, consider writing your own `isAccessAllowed` functionality to mitigate the vulnerability.

**Name of the Vulnerable Software and Affected Versions** Keystone 5 (affected versions not specified) **Description** This issue relates to a newly discovered capability in the query infrastructure to directly or indirectly expose the values of private fields, bypassing the configured access control. It is an access control related oracle attack that guides an attacker during their attempt to reveal information they do not have access to. The complexity of completing the attack is limited by some length-dependent behaviors and the fidelity of the exposed information. Under some circumstances, field values or field value meta data can be determined, despite the field or list having `read` access control configured. If you use private fields or lists, you may be impacted. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.