CVE-2019-1000011

MEDIUM6.5EPSS 0.16%

Incorrect Access Control vulnerability in api-platform/core

Published: 10/14/2019Modified: 11/8/2023

Description

API Platform version from 2.2.0 to 2.3.5 contains an Incorrect Access Control vulnerability in GraphQL delete mutations that can result in a user authorized to delete a resource can delete any resource. This attack appears to be exploitable via the user must be authorized. This vulnerability appears to have been fixed in 2.3.6.

Affected packages (1)

Packagist/api-platform/core>= 2.2.0, < 2.2.10

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.5	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

References (4)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2019-1000011
WEBhttps://github.com/api-platform/core/issues/2364
WEBhttps://github.com/api-platform/core/pull/2441
WEBhttps://github.com/FriendsOfPHP/security-advisories/blob/master/api-platform/core/CVE-2019-1000011.yaml