Critical vulnerability impacting Hasura GraphQL Engine v2.10.0 onwards

226 views
Skip to first unread message

Shahidh K Muhammed

unread,
Nov 22, 2022, 10:55:43 PM11/22/22
to hasura-secur...@googlegroups.com
Hello folks,

A critical vulnerability has been discovered on Hasura GraphQL Engine v2.10.0 and later. It impacts Community, Enterprise and Cloud Editions. Hasura Cloud has already been patched and is no longer vulnerable.

We urge all users to upgrade to the following patched versions immediately.

Community Edition
Affected versionsPatched version
v2.15.1, v2.15.0v2.15.2
v2.14.0v2.14.1
v2.13.1, v2.13.0v2.13.2
v2.12.0v2.12.1
v2.11.2, v2.11.1, v2.11.0v2.11.3
v2.10.1, v2.10.0v2.10.2

Enterprise Edition
Affected versionsPatched version
v2.15.1, v2.15.0v2.15.2
v2.14.0v2.14.1
v2.13.1, v2.13.0v2.13.2
v2.12.0v2.12.1
v2.11.2-pro.1, v2.11.1-pro.1, v2.11.0-pro.1v2.11.3-pro.1
v2.10.1-pro.1, v2.10.0-pro.1v2.10.2-pro.1
*Note: Starting with v2.12.0, Community and Enterprise editions are the same

Hasura Cloud has already been patched. No action is required from customers.

More details about the vulnerability will be shared on Dec 7th 2022 to give users enough time to update their deployments. If you have any questions or comments about this advisory reach out to us on sup...@hasura.io.

-- Hasura Security Team

Timothy Cline

unread,
Dec 7, 2022, 7:00:35 PM12/7/22
to Hasura Security Announcements
Hello folks,

As promised, a detailed announcement has been crafted and released.  You can read it here: https://hasura.io/blog/critical-vulnerability-in-hasuras-graphql-engine-v2-10-0/ .  Please reach out to sup...@hasura.io if you have any questions or comments.

As a reminder, Hasura Cloud has already been patched and no action is needed for anything hosted through Hasura Cloud.  Any vulnerable self hosted Hasura instances should be updated per the table in the previous announcement.

Thank you,
- Hasura Security Team

Reply all
Reply to author
Forward
0 new messages