Skip to main content

CVE-2022-46792: n/a in n/a

High
VulnerabilityCVE-2022-46792cvecve-2022-46792n-acwe-863
Published: Thu Dec 08 2022 (12/08/2022, 00:00:00 UTC)
Source: CVE
Vendor/Project: n/a
Product: n/a

Description

Hasura GraphQL Engine before 2.15.2 mishandles row-level authorization in the Update Many API for Postgres backends. The fixed versions are 2.10.2, 2.11.3, 2.12.1, 2.13.2, 2.14.1, and 2.15.2. (Versions before 2.10.0 are unaffected.)

AI-Powered Analysis

AILast updated: 06/21/2025, 18:37:26 UTC

Technical Analysis

CVE-2022-46792 is a high-severity vulnerability affecting the Hasura GraphQL Engine versions prior to 2.15.2, specifically in the Update Many API when used with Postgres backends. The vulnerability arises from improper handling of row-level authorization, classified under CWE-863 (Incorrect Authorization). This flaw allows an attacker with at least some level of privileges (PR:L - privileges required) to bypass intended row-level access controls during bulk update operations. Consequently, an attacker can modify data rows they should not have access to, impacting confidentiality, integrity, and availability of the database records. The vulnerability affects versions from 2.10.0 up to but not including the fixed releases 2.10.2, 2.11.3, 2.12.1, 2.13.2, 2.14.1, and 2.15.2. Versions before 2.10.0 are not affected. The CVSS 3.1 base score is 8.8, indicating a high severity due to network attack vector (AV:N), low attack complexity (AC:L), required privileges (PR:L), no user interaction (UI:N), unchanged scope (S:U), and high impact on confidentiality, integrity, and availability (C:H/I:H/A:H). No known exploits are currently reported in the wild. The vulnerability is critical for environments where Hasura GraphQL Engine is used as a backend API layer interfacing with Postgres databases, especially in multi-tenant or sensitive data contexts where row-level security is essential. Attackers exploiting this flaw can perform unauthorized data modifications, potentially leading to data corruption, leakage, or denial of service through data integrity compromise.

Potential Impact

For European organizations, the impact of CVE-2022-46792 can be significant, particularly for those relying on Hasura GraphQL Engine as part of their backend infrastructure interfacing with PostgreSQL databases. The vulnerability enables unauthorized modification of data at a granular row level, which can lead to breaches of data confidentiality, unauthorized data alteration, and potential disruption of business processes relying on accurate data. Sectors such as finance, healthcare, public administration, and critical infrastructure that handle sensitive or regulated data are at heightened risk. Exploitation could result in compliance violations under GDPR due to unauthorized data access or modification, leading to legal and financial penalties. Additionally, the integrity loss could undermine trust in digital services and cause operational downtime or data recovery costs. Since the attack requires some level of privileges but no user interaction, insider threats or compromised accounts could be leveraged to exploit this vulnerability, increasing the risk profile for organizations with complex user roles and permissions. The absence of known exploits in the wild currently reduces immediate risk but does not eliminate the potential for targeted attacks, especially as threat actors often develop exploits for high-impact vulnerabilities over time.

Mitigation Recommendations

1. Immediate upgrade to one of the fixed Hasura GraphQL Engine versions: 2.10.2, 2.11.3, 2.12.1, 2.13.2, 2.14.1, or 2.15.2. Ensure all environments, including development, staging, and production, are updated to prevent exploitation. 2. Review and audit all row-level authorization policies configured in Hasura to verify they are correctly enforced, especially in bulk update operations. 3. Implement strict access controls and least privilege principles for users and service accounts interacting with the GraphQL API to minimize the risk from compromised credentials. 4. Monitor API logs for unusual bulk update activities or unauthorized data modifications indicative of exploitation attempts. 5. Employ Web Application Firewalls (WAFs) with custom rules to detect and block suspicious GraphQL mutation patterns targeting the Update Many API. 6. Conduct penetration testing focusing on authorization bypass scenarios in GraphQL endpoints to identify residual weaknesses. 7. For organizations unable to upgrade immediately, consider temporarily disabling or restricting the Update Many API functionality or limiting its use to trusted internal networks. 8. Maintain an incident response plan that includes steps for rapid containment and remediation if exploitation is detected.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
mitre
Date Reserved
2022-12-08T00:00:00.000Z
Cisa Enriched
true

Threat ID: 682d9847c4522896dcbf59ea

Added to database: 5/21/2025, 9:09:27 AM

Last enriched: 6/21/2025, 6:37:26 PM

Last updated: 8/16/2025, 9:43:03 AM

Views: 12

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats