Miggo Logo
Miggo Vulnerability Database
CVE-2021-28661

CVE-2021-28661:
SilverStripe GraphQL Server permission checker not inherited by query subclass.

4.3

CVSS Score
3.1

Basic Information

CVE ID
CVE-2021-28661
GHSA ID
GHSA-r7rh-g777-g5gx
EPSS Score
0.38811%
CWE
CWE-863
Published
10/12/2021
Updated
2/6/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
silverstripe/graphqlcomposer>= 3.0.0, < 3.5.23.5.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability manifests in the getPermissionChecker method where unset permission checkers would return null instead of inheriting a default. The security patch (commit 1696145) explicitly adds a fallback to QueryPermissionChecker.default via dependency injection when permissionChecker is null. This confirms the pre-patch version of this method was vulnerable due to missing authorization enforcement inheritance.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

****ult Silv*rStrip* *r*p*QL S*rv*r (*k* silv*rstrip*/*r*p*ql) *.x t*rou** *.*.* p*rmission ****k*r not in**rit** *y qu*ry su**l*ss.

Reasoning

T** vuln*r**ility m*ni**sts in t** `**tP*rmission****k*r` m*t*o* w**r* uns*t p*rmission ****k*rs woul* r*turn null inst*** o* in**ritin* * ****ult. T** s**urity p*t** (*ommit *******) *xpli*itly ***s * **ll***k to `Qu*ryP*rmission****k*r.****ult` vi*