CVE-2020-26136 GraphQL doesn't honour MFA when using basic auth
- Medium (?)
- Versions Affected:
- silverstripe/graphql: ^3.0.0, ^4.0.0-alpha1
- Versions Fixed:
- silverstripe/graphql: ^3.5.0, ^4.0.0-alpha2
- Release Date:
The GraphQL module accepts basic-auth as an authentication method by default. This can be used to bypass MFA authentication if the silverstripe/mfa module is installed, which is now a commonly installed module. A users password is still required though.
Basic-auth has been removed as a default authentication method. It desired, it can be re-enabled by adding it to the authenticators key of a schema, or on SilverStripe\Graphql\Auth\Handler, i.e.
authenticators: - class: SilverStripe\GraphQL\Auth\BasicAuthAuthenticator priority: 20
Base CVSS: 4.2
CWP CVSS: 4.2
Reporters: Maxime Rainville from Silverstripe Ltd