CVE-2022-39275 Saleor is a GraphQL platform that was affected by a vulnerability that allowed access to data that should only be accessible to the user who is authenticated.

We would also like to announce that our security team has recently discovered another issue related to the GraphQL API. This new issue, discovered by our security team, has been assigned the CVE-2019-0706. This vulnerability could be exploited to retrieve user data from the database. The vulnerability has been patched in main and backported to multiple releases (3.7.17, 3.6.18, 3.5.23, 3.4.24, 3.3.26, 3.2.14, 3.1.24). Users are advised to upgrade. There are no known workarounds for this issue.

What’s new with GraphQL 3.7?

GraphQL is an open-source data query language and a complete rethinking of web APIs. Version 3 has been released to the public and is available for download on our website.
What’s new in GraphQL 3?
- Quite a few exciting changes including live updates, "serverless" operations, declarative directives and numerous bug fixes to improve performance and stability.
- More than 250 libraries are now available providing support for pre-existing frameworks like React, Angular, VueJS and others.

Where is the GraphQL API?

Installing GraphQL Schema Editor

The vulnerability has been patched in main and backported to multiple releases (3.7.17, 3.6.18, 3.5.23, 3.4.24, 3.3.26, 3.2.14, 3.1.24). Users are advised to upgrade.

Timeline

Published on: 10/06/2022 18:16:00 UTC
Last modified on: 10/11/2022 04:15:00 UTC

References

• https://github.com/saleor/saleor/security/advisories/GHSA-xhq8-8c5v-w8ff
• https://github.com/saleor/saleor/commit/96e04c092ddcac17b14f2e31554aa02d9006d0ce
• https://www.cve.org/CVERecord?id=CVE-2022-39275
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-39275