一、 漏洞 CVE-2023-40027 基础信息
漏洞标题
在 @keystone-6/core 中 conditionally 缺失授权
来源:AIGC 神龙大模型
漏洞描述信息
在@keystone-6/core中存在条件性缺失的授权
来源:AIGC 神龙大模型
CVSS信息
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
来源:AIGC 神龙大模型
漏洞类别
授权机制不正确
来源:AIGC 神龙大模型
漏洞标题
Conditionally missing authorization in @keystone-6/core
来源:美国国家漏洞数据库 NVD
漏洞描述信息
Keystone is an open source headless CMS for Node.js — built with GraphQL and React. When `ui.isAccessAllowed` is set as `undefined`, the `adminMeta` GraphQL query is publicly accessible (no session required). This is different to the behaviour of the default AdminUI middleware, which by default will only be publicly accessible (no session required) if a `session` strategy is not defined. This vulnerability does not affect developers using the `@keystone-6/auth` package, or any users that have written their own `ui.isAccessAllowed` (that is to say, `isAccessAllowed` is not `undefined`). This vulnerability does affect users who believed that their `session` strategy will, by default, enforce that `adminMeta` is inaccessible by the public in accordance with that strategy; akin to the behaviour of the AdminUI middleware. This vulnerability has been patched in `@keystone-6/core` version `5.5.1`. Users are advised to upgrade. Users unable to upgrade may opt to write their own `isAccessAllowed` functionality to work-around this vulnerability.
来源:美国国家漏洞数据库 NVD
CVSS信息
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
来源:美国国家漏洞数据库 NVD
漏洞类别
授权机制缺失
来源:美国国家漏洞数据库 NVD
漏洞标题
Keystone 安全漏洞
来源:中国国家信息安全漏洞库 CNNVD
漏洞描述信息
Keystone是OpenStack开源的一款强大的CMS。用于帮助您比任何其他 Cms 或应用程序框架更快地构建和扩展。 Keystone 存在安全漏洞,该漏洞源于当 ui.isAccessAllowed 设置为 undefined 时,adminMeta GraphQL 查询可公开访问。
来源:中国国家信息安全漏洞库 CNNVD
CVSS信息
N/A
来源:中国国家信息安全漏洞库 CNNVD
漏洞类别
其他
来源:中国国家信息安全漏洞库 CNNVD
二、漏洞 CVE-2023-40027 的公开POC
# POC 描述 源链接 神龙链接
三、漏洞 CVE-2023-40027 的情报信息