CVE-2021-47714
BaseFortify
Publication date: 2025-12-22
Last updated on: 2025-12-27
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| hasura | graphql_engine | 1.3.3 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2021-47714 is a local file read vulnerability in Hasura GraphQL version 1.3.3. Attackers can exploit a SQL injection flaw in the GraphQL query endpoint to execute malicious SQL commands. Specifically, they use the PostgreSQL function pg_read_file() to read arbitrary files on the server hosting Hasura GraphQL. This allows unauthorized access to sensitive system files without needing authentication or user interaction. [2, 3]
How can this vulnerability impact me? :
This vulnerability can allow attackers to read sensitive files on the server running Hasura GraphQL, potentially exposing confidential information such as system configuration, user data, or credentials. Since the exploit requires no authentication and has low complexity, it poses a significant risk of unauthorized data disclosure and could lead to further attacks or system compromise. [2, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by sending crafted HTTP POST requests to the /v1/query endpoint of the Hasura GraphQL server, containing malicious SQL queries that use the PostgreSQL pg_read_file() function to attempt reading arbitrary files. For example, a command using curl could be constructed to send a JSON payload with a run_sql command that tries to read /etc/passwd. Additionally, a Python script using the requests library can be used to automate this detection by sending such payloads and checking the response for file contents. The exploit involves sending a POST request with a JSON body like: {"type": "run_sql", "args": {"sql": "SELECT pg_read_file('../../../../../../../../../etc/passwd',0,1000);"}} to the /v1/query endpoint. If the response contains file content, the system is vulnerable. [2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading Hasura GraphQL Engine from version 1.3.3 to a version where this vulnerability is fixed, as the issue arises from SQL injection in the query endpoint. Additionally, restricting access to the /v1/query endpoint to trusted users or networks, implementing proper input validation and sanitization, and applying network-level controls to limit exposure can help reduce risk. Monitoring and blocking suspicious POST requests attempting to exploit pg_read_file() can also be effective. Since the vulnerability requires no authentication, limiting exposure and patching are critical. [1, 3]