Hasura GraphQL Engine before 2.15.2 mishandles row-level authorization in the Update Many API for Postgres backends. The fixed versions are 2.10.2, 2.11.3, 2.12.1, 2.13.2, 2.14.1, and 2.15.2. (Versions before 2.10.0 are unaffected.)
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/46xxx/CVE-2022-46792.json",
"cna_assigner": "mitre"
}{
"cpe": [
"cpe:2.3:a:hasura:graphql_engine:*:*:*:*:*:*:*:*",
"cpe:2.3:a:hasura:graphql_engine:2.12.0:-:*:*:*:*:*:*",
"cpe:2.3:a:hasura:graphql_engine:2.14.0:-:*:*:*:*:*:*"
],
"extracted_events": [
{
"introduced": "2.10.0"
},
{
"fixed": "2.10.2"
},
{
"introduced": "2.11.0"
},
{
"fixed": "2.11.3"
},
{
"introduced": "2.13.0"
},
{
"fixed": "2.13.2"
},
{
"introduced": "2.15.0"
},
{
"fixed": "2.15.2"
},
{
"introduced": "2.12.0-NA"
},
{
"last_affected": "2.12.0-NA"
},
{
"introduced": "2.14.0-NA"
},
{
"last_affected": "2.14.0-NA"
}
],
"source": [
"CPE_RANGE",
"CPE_STRING"
]
}