CVE-2020-6165

Name of the Vulnerable Software and Affected Versions SilverStripe version 4.5.0

Description The issue allows attackers to read certain records that should not have been placed into a result set. This is due to the automatic permission-checking mechanism in the silverstripe/graphql module not providing complete protection against lists that are limited, resulting in records being added to the final result set despite failing a permission check. The "admin/graphql" endpoint is access protected by default, limiting the issue to authenticated users, including those with limited permissions. However, custom GraphQL endpoints configured under "/graphql" could allow exploitation through unauthenticated requests. The issue only applies to reading records and does not allow unauthorized changing of records.

Recommendations For SilverStripe version 4.5.0, consider disabling custom GraphQL endpoints configured under "/graphql" to minimize the risk of exploitation until a patch is available. Restrict access to the "admin/graphql" endpoint to administrator permissions to prevent authenticated users with limited permissions from exploiting the issue. Avoid using the silverstripe/graphql module for sensitive data until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.