Impact
A critical vulnerability has been discovered on Hasura GraphQL Engine v2.10.0 and later. It impacts Community, Enterprise and Cloud Editions. Hasura Cloud has already been patched and is no longer vulnerable.
We urge all users to upgrade to the following patched versions immediately.
Patches
Community Edition
Enterprise Edition
*Note: Starting with v2.12.0, Community and Enterprise editions are on the same release.
Hasura Cloud
Hasura Cloud has already been patched. No action is required from customers.
More details
In the implementation of the new Update Many API for Postgres backends, there was a bug in the code which would enforce the row level authorization mechanisms. Since this was within the Update Many API, a user could perform an update on any column they had update permissions to on any row within the target table, and subsequently retrieve any columns they had select permissions on from any impacted rows. In order for this to be exploited, the Update Many API would need to be called against a Postgres datastore, the API would need to not have been disabled using the configuration added in 2.14.0, the caller of the API would need to have update permissions on the target table, and the API would need to not be restricted by Allow Lists.
Identifying Impacts
You can look into calls to the Update Many API within your services and review any tables which have been the target of these calls. If you have disabled API and telemetry logging or are not certain you keep all of these records long enough, then you should do a consistency check across all of your Postgres datastores behind the affected versions as listed above.
Impact
A critical vulnerability has been discovered on Hasura GraphQL Engine v2.10.0 and later. It impacts Community, Enterprise and Cloud Editions. Hasura Cloud has already been patched and is no longer vulnerable.
We urge all users to upgrade to the following patched versions immediately.
Patches
Community Edition
Enterprise Edition
*Note: Starting with v2.12.0, Community and Enterprise editions are on the same release.
Hasura Cloud
Hasura Cloud has already been patched. No action is required from customers.
More details
In the implementation of the new Update Many API for Postgres backends, there was a bug in the code which would enforce the row level authorization mechanisms. Since this was within the Update Many API, a user could perform an update on any column they had update permissions to on any row within the target table, and subsequently retrieve any columns they had select permissions on from any impacted rows. In order for this to be exploited, the Update Many API would need to be called against a Postgres datastore, the API would need to not have been disabled using the configuration added in 2.14.0, the caller of the API would need to have update permissions on the target table, and the API would need to not be restricted by Allow Lists.
Identifying Impacts
You can look into calls to the Update Many API within your services and review any tables which have been the target of these calls. If you have disabled API and telemetry logging or are not certain you keep all of these records long enough, then you should do a consistency check across all of your Postgres datastores behind the affected versions as listed above.