CVE-2019-1010304 - OpenCVE

Saleor Issue was introduced by merge commit: e1b01bad0703afd08d297ed3f1f472248312cc9c. This commit was released as part of 2.0.0 release is affected by: Incorrect Access Control. The impact is: Important. The component is: ProductVariant type in GraphQL API. The attack vector is: Unauthenticated user can access the GraphQL API (which is by default publicly exposed under `/graphql/` URL) and fetch products data which may include admin-restricted shop's revenue data. The fixed version is: 2.3.1.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:N/C:P/I:N/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Mirumee	Saleor

Configuration 1 [-]

cpe:2.3:a:mirumee:saleor:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/mirumee/saleor/issues/3768

History

No history.

MITRE

Status: PUBLISHED

Assigner: dwf

Published: 2019-07-15T14:45:39

Updated: 2024-08-05T03:07:18.378Z

Reserved: 2019-03-20T00:00:00

Link: CVE-2019-1010304

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2019-07-15T15:15:11.297

Modified: 2020-08-24T17:37:01.140

Link: CVE-2019-1010304

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Saleor", "vendor": "Saleor", "versions": [{"status": "affected", "version": "Issue was introduced by merge commit: e1b01bad0703afd08d297ed3f1f472248312cc9c. This commit was released as part of 2.0.0 release [fixed: 2.3.1]"}]}], "descriptions": [{"lang": "en", "value": "Saleor Issue was introduced by merge commit: e1b01bad0703afd08d297ed3f1f472248312cc9c. This commit was released as part of 2.0.0 release is affected by: Incorrect Access Control. The impact is: Important. The component is: ProductVariant type in GraphQL API. The attack vector is: Unauthenticated user can access the GraphQL API (which is by default publicly exposed under `/graphql/` URL) and fetch products data which may include admin-restricted shop's revenue data. The fixed version is: 2.3.1."}], "problemTypes": [{"descriptions": [{"description": "Incorrect Access Control", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-07-15T14:45:39", "orgId": "7556d962-6fb7-411e-85fa-6cd62f095ba8", "shortName": "dwf"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://github.com/mirumee/saleor/issues/3768"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve-assign@distributedweaknessfiling.org", "ID": "CVE-2019-1010304", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Saleor", "version": {"version_data": [{"version_value": "Issue was introduced by merge commit: e1b01bad0703afd08d297ed3f1f472248312cc9c. This commit was released as part of 2.0.0 release [fixed: 2.3.1]"}]}}]}, "vendor_name": "Saleor"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Saleor Issue was introduced by merge commit: e1b01bad0703afd08d297ed3f1f472248312cc9c. This commit was released as part of 2.0.0 release is affected by: Incorrect Access Control. The impact is: Important. The component is: ProductVariant type in GraphQL API. The attack vector is: Unauthenticated user can access the GraphQL API (which is by default publicly exposed under `/graphql/` URL) and fetch products data which may include admin-restricted shop's revenue data. The fixed version is: 2.3.1."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Incorrect Access Control"}]}]}, "references": {"reference_data": [{"name": "https://github.com/mirumee/saleor/issues/3768", "refsource": "MISC", "url": "https://github.com/mirumee/saleor/issues/3768"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T03:07:18.378Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/mirumee/saleor/issues/3768"}]}]}, "cveMetadata": {"assignerOrgId": "7556d962-6fb7-411e-85fa-6cd62f095ba8", "assignerShortName": "dwf", "cveId": "CVE-2019-1010304", "datePublished": "2019-07-15T14:45:39", "dateReserved": "2019-03-20T00:00:00", "dateUpdated": "2024-08-05T03:07:18.378Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mirumee:saleor:*:*:*:*:*:*:*:*", "matchCriteriaId": "FD350232-AB4B-4C41-B950-BD17C3E61AF5", "versionEndExcluding": "2.3.1", "versionStartIncluding": "2.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Saleor Issue was introduced by merge commit: e1b01bad0703afd08d297ed3f1f472248312cc9c. This commit was released as part of 2.0.0 release is affected by: Incorrect Access Control. The impact is: Important. The component is: ProductVariant type in GraphQL API. The attack vector is: Unauthenticated user can access the GraphQL API (which is by default publicly exposed under `/graphql/` URL) and fetch products data which may include admin-restricted shop's revenue data. The fixed version is: 2.3.1."}, {"lang": "es", "value": "Saleor Issue se introdujo por merge commit: e1b01bad0703afd08d297ed3f1f472248312cc9c. Esta commit se public\u00f3 como parte de la versi\u00f3n 2.0.0 est\u00e1 afectada por: Control de acceso incorrecto. El impacto es: Importante. El componente es: en el tipo ProductVariant en la API de GraphQL. El vector de ataque es: El usuario no autenticado puede acceder a la API de GraphQL (que se expone p\u00fablicamente por defecto en la URL del archivo \u201c/graphql/\u201d) y obtener datos de productos que pueden incluir datos de ingresos de la tienda restringida por el administrador. La versi\u00f3n corregida es: 2.3.1."}], "id": "CVE-2019-1010304", "lastModified": "2020-08-24T17:37:01.140", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-07-15T15:15:11.297", "references": [{"source": "josh@bress.net", "tags": ["Exploit", "Patch", "Third Party Advisory"], "url": "https://github.com/mirumee/saleor/issues/3768"}], "sourceIdentifier": "josh@bress.net", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "nvd@nist.gov", "type": "Primary"}]}