Skip to main content

This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.

CVE-2020-26136 GraphQL doesn't honour MFA when using basic auth

Severity:
Medium (?)
Identifier:
CVE-2020-26136
Versions Affected:
silverstripe/graphql: ^3.0.0, ^4.0.0-alpha1
Versions Fixed:
silverstripe/graphql: ^3.5.0, ^4.0.0-alpha2
Release Date:
2021-06-08

The GraphQL module accepts basic-auth as an authentication method by default. This can be used to bypass MFA authentication if the silverstripe/mfa module is installed, which is now a commonly installed module. A users password is still required though.

Basic-auth has been removed as a default authentication method. It desired, it can be re-enabled by adding it to the authenticators key of a schema, or on SilverStripe\Graphql\Auth\Handler, i.e.

  authenticators:
    -
      class: SilverStripe\GraphQL\Auth\BasicAuthAuthenticator
      priority: 20

Base CVSS: 4.2

CWP CVSS: 4.2

Reporters: Maxime Rainville from Silverstripe Ltd