CVE-2023-44401

CVE-2023-44401 is a medium-severity vulnerability in Silverstripe Graphql with a CVSS 3.x base score of 5.3. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-863.

Key facts

Description

The Silverstripe CMS GraphQL Server serves Silverstripe data as GraphQL representations. In versions 4.0.0 prior to 4.3.7 and 5.0.0 prior to 5.1.3, `canView` permission checks are bypassed for ORM data in paginated GraphQL query results where the total number of records is greater than the number of records per page. Note that this also affects GraphQL queries which have a limit applied, even if the query isn’t paginated per se. This has been fixed in versions 4.3.7 and 5.1.3 by ensuring no new records are pulled in from the database after performing `canView` permission checks for each page of results. This may result in some pages in the query results having less than the maximum number of records per page even when there are more pages of results. This behavior is consistent with how pagination works in other areas of Silverstripe CMS, such as in `GridField`, and is a result of having to perform permission checks in PHP rather than in the database directly. One may disable these permission checks by disabling the `CanViewPermission` plugin.

Frequently asked questions

What is CVE-2023-44401?
The Silverstripe CMS GraphQL Server serves Silverstripe data as GraphQL representations. In versions 4.0.0 prior to 4.3.7 and 5.0.0 prior to 5.1.3, `canView` permission checks are bypassed for ORM data in paginated GraphQL query results where the total number of records is greater than the number of records per page. Note that this also affects GraphQL queries which have a limit applied, even if the query isn’t paginated per se. This has been fixed in versions 4.3.7 and 5.1.3 by ensuring no new records are pulled in from the database after performing `canView` permission checks for each page of results. This may result in some pages in the query results having less than the maximum number of records per page even when there are more pages of results. This behavior is consistent with how pagination works in other areas of Silverstripe CMS, such as in `GridField`, and is a result of having to perform permission checks in PHP rather than in the database directly. One may disable these permission checks by disabling the `CanViewPermission` plugin.
How severe is CVE-2023-44401?
CVE-2023-44401 has a CVSS 3.x base score of 5.3, rated medium severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is low, integrity none, and availability none.
Is CVE-2023-44401 being actively exploited?
It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (34th percentile), an estimate of the probability of exploitation in the next 30 days.
What products are affected by CVE-2023-44401?
CVE-2023-44401 affects Silverstripe Graphql. See the affected-products list for the exact vulnerable versions.
How do I fix CVE-2023-44401?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
Does CVE-2023-44401 have an EU (EUVD) identifier?
Yes. CVE-2023-44401 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2024-0378.
When was CVE-2023-44401 published?
CVE-2023-44401 was published on 2024-01-23 and last updated on 2026-06-17.

References

Affected products (1)

More vulnerabilities in Silverstripe Graphql

All CVEs affecting Silverstripe Graphql →

Other CWE-863 (Incorrect Authorization) vulnerabilities

Browse all CWE-863 (Incorrect Authorization) vulnerabilities →