CVE-2023-40027 - Keystone Headless CMS Unrestricted adminMeta GraphQL Query Access Vulnerability

Introduction: Keystone is a popular open source headless CMS for Node.js, which leverages the power of GraphQL and React. Recently, a security vulnerability (CVE-2023-40027) has been discovered in the CMS when the ui.isAccessAllowed is set as undefined. The vulnerability exposes the adminMeta GraphQL query to public access even when a session strategy is defined, which is not the intended behavior. The issue has been patched in the @keystone-6/core version 5.5.1, and users are advised to upgrade. In this post, we will discuss the exploit details, along with the suggested workaround for users who are unable to upgrade.

Exploit Details

The vulnerability arises when the ui.isAccessAllowed function is set to undefined. In this case, the adminMeta GraphQL query becomes publicly accessible, regardless of whether a session strategy is defined or not. This behavior is different from the default AdminUI middleware, which only allows public access if a session strategy is not defined.

Here's a code snippet that demonstrates the issue

import { Keystone } from '@keystone-6/core';

const keystone = new Keystone({
  ...
  ui: {
    // MISSING isAccessAllowed function, which leads to a vulnerability
  },
  ...
});

It is important to note that this vulnerability does not affect developers using the @keystone-6/auth package or those who have implemented their own ui.isAccessAllowed functions. However, it does affect users who rely on the session strategy to enforce the inaccessibility of adminMeta by the public, similar to the behavior of the AdminUI middleware.

Solution

To address this vulnerability, the developers have released an updated version of the @keystone-6/core package (version 5.5.1). Users are recommended to upgrade to this version as soon as possible to resolve the issue. You can upgrade by running the following command:

npm install @keystone-6/core@5.5.1

Alternatively, if you are unable to upgrade, you may choose to implement your own isAccessAllowed functionality to work around the vulnerability. To do this, you can define the function within the ui object in your Keystone configuration:

import { Keystone } from '@keystone-6/core';

const keystone = new Keystone({
  ...
  ui: {
    isAccessAllowed: async ({ session }) => {
      // Implement your custom access control logic here
      return !!session;
    }
  },
  ...
});

This workaround will ensure that the adminMeta GraphQL query is only accessible as per your custom implementation logic and will prevent unauthorized access.

Original References

- Keystone Security Advisory
- GitHub Issue
- Keystone Docs

Conclusion

In summary, users of the Keystone headless CMS should be aware of the CVE-2023-40027 vulnerability due to an unrestricted adminMeta GraphQL query access issue when ui.isAccessAllowed is set as undefined. It is highly recommended to upgrade to @keystone-6/core version 5.5.1 or implement a custom isAccessAllowed functionality as a workaround to resolve the issue.

Timeline

Published on: 08/15/2023 18:15:00 UTC
Last modified on: 08/23/2023 00:04:00 UTC