Skip to main content

This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.

CVE-2021-28661 Default GraphQL permission checker not inherited by query subclass

Low (?)
Versions Affected:
silverstripe/graphql: ^3.0.0
Versions Fixed:
silverstripe/graphql: ^3.5.2, silverstripe/graphql: ^3.6.0
Release Date:

CMS users without limited permissions to view data may be able access privileged information via the /admin/graphql endpoint because of a missing canView() on data. This affects data classes that utilise or inherit from the Read or ReadOne GraphQL 3 classes that don't explicitly assign a service class to the permissionChecker property of their implementation. On a default installation this will expose limited (ID, FirstName, Surname) information from the Member table which a CMS user typically will not have access to.

Graphql 4 is not affected by this.

If you have a legitimate use for an ItemQuery/ListQuery scaffolder class without a permission checker, you can use the following example.

# Put this in `app/_config/mysite.yml` on another config file
: My\App\QueryPermissionChecker.nocheck: class: My\App\NoCheckPermissionChecker My\App\CustomItemQueryScaffolder: properties: permissionChecker: '%$My\App\QueryPermissionChecker.nocheck' My\App\CustomListQueryScaffolder: properties: permissionChecker: '%$My\App\QueryPermissionChecker.nocheck'

namespace My\App;

use SilverStripe\GraphQL\Permission\QueryPermissionChecker;
use SilverStripe\ORM\Filterable;
use SilverStripe\Security\Member;

class NoCheckPermissionChecker implements QueryPermissionChecker
    public function applyToList(Filterable $list, Member $member = null)
        return $list;

    public function checkItem($item, Member $member = null)
        return true;

Base CVSS: 3.0