Unauthenticated path traversal vulnerability in Hasura GraphQL Engine

[Hasura Security Announcements]

https://github.com/hasura/graphql-engine/security/advisories/GHSA-c9rw-rw2f-mj4x 

Description

Security Notification
A Path Traversal security vulnerability has been recently discovered within the GraphQL Engine.

What we have done

We have patched versions 1.3, 2.11, 2.20, and 2.21-beta.

• v2.11.5
• v2.20.1
• v2.21.0-beta.1
• v1.3.4

What action do I need to take?
Hasura Cloud Projects: Projects running on Hasura Cloud were not vulnerable. No further action is needed unless you also self-host Hasura (see below).
Self-hosted Hasura Projects (Community Edition or Enterprise Edition): If your deployment is publicly exposed and not protected by a WAF or other HTTP protection layer, you need to update immediately to one of the fixed versions.

Public disclosure update
We are issuing a security advisory to the larger user community. A detailed public disclosure of this vulnerability is scheduled for 3/27/2023 to allow all users enough time to mitigate the issue.
If you have any questions or concerns, please do reach out to us at sup...@hasura.io.

Thank you,
The Hasura Cloud Team

[Hasura Security Announcements]

Hello folks,

As promised, a detailed announcement has been crafted and released.  You can read it here: https://github.com/hasura/graphql-engine/security/advisories/GHSA-c9rw-rw2f-mj4x .  Please reach out to sup...@hasura.io if you have any questions or comments.

As a reminder, Hasura Cloud was not vulnerable and no action is needed for anything hosted through Hasura Cloud.  Any vulnerable self hosted Hasura instances should be updated per the advisory.

Thank you,

- Hasura Security Team