Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2024-47082

Good to know:

icon
icon

Date: September 25, 2024

Strawberry GraphQL is a library for creating GraphQL APIs. Prior to version 0.243.0, multipart file upload support as defined in the GraphQL multipart request specification was enabled by default in all Strawberry HTTP view integrations. This made all Strawberry HTTP view integrations vulnerable to cross-site request forgery (CSRF) attacks if users did not explicitly enable CSRF preventing security mechanism for their servers. Additionally, the Django HTTP view integration, in particular, had an exemption for Django's built-in CSRF protection (i.e., the "CsrfViewMiddleware" middleware) by default. In affect, all Strawberry integrations were vulnerable to CSRF attacks by default. Version "v0.243.0" is the first "strawberry-graphql" including a patch.

Language: Python

Severity Score

Related Resources (7)

https://github.com/strawberry-graphql/strawberry/security/advisories/GHSA-79gp-q4wv-33fr
https://strawberry.rocks/docs/breaking-changes/0.243.0
https://github.com/pypa/advisory-database/tree/main/vulns/strawberry-graphql/PYSEC-2024-171.yaml
https://github.com/strawberry-graphql/strawberry/commit/37265b230e511480a9ceace492f9f6a484be1387
https://github.com/strawberry-graphql/strawberry
https://nvd.nist.gov/vuln/detail/CVE-2024-47082
https://www.mend.io/vulnerability-database/CVE-2024-47082

Severity Score

Weakness Type (CWE)

Cross-Site Request Forgery (CSRF)

CWE-352

Top Fix

icon

Upgrade Version

Upgrade to version strawberry-graphql - 0.243.0

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): LOW
User Interaction (UI): REQUIRED
Scope (S): UNCHANGED
Confidentiality (C): NONE
Integrity (I): LOW
Availability (A): LOW

Do you need more information?

Contact Us