CVE-2023-27588

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2023-27588
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-27588.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2023-27588
Aliases
  • GHSA-c9rw-rw2f-mj4x
Published
2023-03-14T17:23:10.499Z
Modified
2025-11-29T14:09:53.442080Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
Unauthenticated path traversal vulnerability in Hasura GraphQL Engine
Details

Hasura is an open-source product that provides users GraphQL or REST APIs. A path traversal vulnerability has been discovered within Hasura GraphQL Engine prior to versions 1.3.4, 2.55.1, 2.20.1, and 2.21.0-beta1. Projects running on Hasura Cloud were not vulnerable. Self-hosted Hasura Projects with deployments that are publicly exposed and not protected by a WAF or other HTTP protection layer should be upgraded to version 1.3.4, 2.55.1, 2.20.1, or 2.21.0-beta1 to receive a patch.

Database specific 
{
    "cwe_ids": [
        "CWE-22",
        "CWE-27"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/27xxx/CVE-2023-27588.json",
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/hasura/graphql-engine

Affected ranges

Type
GIT
Repo
https://github.com/hasura/graphql-engine
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
551b3406322c980ece674bbe9d07009dc9e47792
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "1.3.4"
        }
    ]
}
Type
GIT
Repo
https://github.com/hasura/graphql-engine
Events
Introduced
91d013b1bb567656a7e0340a87cff0b195dbddbd
Fixed
0aff8e3c90c3dd1f3857e2fa8e05da2c38c23e3c
Database specific 
{
    "versions": [
        {
            "introduced": "2.0.0"
        },
        {
            "fixed": "2.11.5"
        }
    ]
}
Type
GIT
Repo
https://github.com/hasura/graphql-engine
Events
Introduced
f4007596fb36426c7ffb400b9979809560d66449
Fixed
f0ce6c3208afb0eaf1176c0a4a56d4454a49caa1
Database specific 
{
    "versions": [
        {
            "introduced": "2.2.0"
        },
        {
            "fixed": "2.20.1"
        }
    ]
}

Affected versions

cli/v2.*

cli/v2.1.0
cli/v2.1.1
cli/v2.10.0-beta.1
cli/v2.11.0-beta.1
cli/v2.16.0-beta.1
cli/v2.2.0
cli/v2.20.0
cli/v2.20.0-beta.1
cli/v2.8.0-beta.1
cli/v2.9.0-beta.1

v1.*

v1.0.0
v1.0.0-alpha0
v1.0.0-alpha01
v1.0.0-alpha02
v1.0.0-alpha03
v1.0.0-alpha04
v1.0.0-alpha05
v1.0.0-alpha06
v1.0.0-alpha07
v1.0.0-alpha08
v1.0.0-alpha09
v1.0.0-alpha10
v1.0.0-alpha11
v1.0.0-alpha12
v1.0.0-alpha13
v1.0.0-alpha14
v1.0.0-alpha15
v1.0.0-alpha16
v1.0.0-alpha17
v1.0.0-alpha18
v1.0.0-alpha20
v1.0.0-alpha21
v1.0.0-alpha22
v1.0.0-alpha23
v1.0.0-alpha24
v1.0.0-alpha25
v1.0.0-alpha26
v1.0.0-alpha27
v1.0.0-alpha28
v1.0.0-alpha29
v1.0.0-alpha30
v1.0.0-alpha31
v1.0.0-alpha32
v1.0.0-alpha33
v1.0.0-alpha34
v1.0.0-alpha35
v1.0.0-alpha36
v1.0.0-alpha37
v1.0.0-alpha38
v1.0.0-alpha39
v1.0.0-alpha40
v1.0.0-alpha41
v1.0.0-alpha42
v1.0.0-alpha43
v1.0.0-alpha44
v1.0.0-alpha45
v1.0.0-beta.1
v1.0.0-beta.10
v1.0.0-beta.2
v1.0.0-beta.3
v1.0.0-beta.4
v1.0.0-beta.5
v1.0.0-beta.6
v1.0.0-beta.7
v1.0.0-beta.8
v1.0.0-beta.9
v1.0.0-rc.1

v2.*

v2.0.0-alpha.3
v2.0.0-alpha.4
v2.0.0-alpha.7
v2.0.0-beta.1
v2.0.1
v2.0.7
v2.0.8
v2.1.0
v2.1.0-beta.1
v2.1.0-beta.3
v2.10.0-beta.1
v2.11.0-beta.1
v2.16.0-beta.1
v2.2.0
v2.20.0
v2.20.0-beta.1
v2.3.0-beta.1
v2.4.0-beta.2
v2.8.0-beta.1
v2.9.0-beta.1

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-27588.json"