CVE-2023-40027: Missing Authorization
Keystone is an open source headless CMS for Node.js — built with GraphQL and React. When ui.isAccessAllowed
is set as undefined
, the adminMeta
GraphQL query is publicly accessible (no session required). This is different to the behaviour of the default AdminUI middleware, which by default will only be publicly accessible (no session required) if a session
strategy is not defined. This vulnerability does not affect developers using the @keystone-6/auth
package, or any users that have written their own ui.isAccessAllowed
(that is to say, isAccessAllowed
is not undefined
). This vulnerability does affect users who believed that their session
strategy will, by default, enforce that adminMeta
is inaccessible by the public in accordance with that strategy; akin to the behaviour of the AdminUI middleware. This vulnerability has been patched in @keystone-6/core
version 5.5.1
. Users are advised to upgrade. Users unable to upgrade may opt to write their own isAccessAllowed
functionality to work-around this vulnerability.
References
- github.com/advisories/GHSA-9cvc-v7wm-992c
- github.com/keystonejs/keystone/commit/650e27e6e9b42abfb94c340c8470faf61f0ff284
- github.com/keystonejs/keystone/pull/8771
- github.com/keystonejs/keystone/releases/tag/2023-08-15
- github.com/keystonejs/keystone/security/advisories/GHSA-9cvc-v7wm-992c
- nvd.nist.gov/vuln/detail/CVE-2023-40027
Detect and mitigate CVE-2023-40027 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →