CVE-2021-47714

Name of the Vulnerable Software and Affected Versions Hasura GraphQL version 1.3.3

Description Hasura GraphQL version 1.3.3 has a local file read issue. Attackers can access system files through SQL injection in the query endpoint. Exploitation involves the pg read file() PostgreSQL function via crafted SQL queries to read arbitrary files on the server. The vulnerable endpoint is '/api/v1/query'. The vulnerable function is pg read file(). The vulnerable parameter is the SQL query itself.

Recommendations Update to a newer version that contains a fix for this vulnerability. As a temporary workaround, restrict access to the query endpoint '/api/v1/query' to minimize the risk of exploitation.