CVE-2020-26136 GraphQL doesn't honour MFA when using basic auth

This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.

Severity:: Medium (?)
Identifier:: CVE-2020-26136
Versions Affected:: silverstripe/graphql: ^3.0.0, ^4.0.0-alpha1
Versions Fixed:: silverstripe/graphql: ^3.5.0, ^4.0.0-alpha2
Release Date:: 2021-06-08

The GraphQL module accepts basic-auth as an authentication method by default. This can be used to bypass MFA authentication if the silverstripe/mfa module is installed, which is now a commonly installed module. A users password is still required though.

Basic-auth has been removed as a default authentication method. It desired, it can be re-enabled by adding it to the authenticators key of a schema, or on SilverStripe\Graphql\Auth\Handler, i.e.

  authenticators:
    -
      class: SilverStripe\GraphQL\Auth\BasicAuthAuthenticator
      priority: 20

Base CVSS: 4.2

CWP CVSS: 4.2

Reporters: Maxime Rainville from Silverstripe Ltd