CVE-2020-26136 — Authentication bypass in SilverStripe GraphQL

Description

The GraphQL module accepts basic-auth as an authentication method by default. This can be used to bypass MFA authentication if the silverstripe/mfa module is installed, which is now a commonly installed module. A users password is still required though. Basic-auth has been removed as a default authentication method. If desired, it can be re-enabled by adding it to the authenticators key of a schema, or on SilverStripe\Graphql\Auth\Handler

How to fix CVE-2020-26136

To remediate CVE-2020-26136, upgrade the affected package to a fixed version below.

—upgrade to 4.6.0 or later
—upgrade to 3.5.0 or later

Is CVE-2020-26136 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 4.6.0 | >= 4.6.0-rc1, <= 4.6.0-rc1
>= 3.0.0, < 3.5.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.5	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

References (7)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2020-26136
WEBforum.silverstripe.org/c/releases
WEBgithub.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/graphql/CVE-2020-26136.yaml
WEBwww.silverstripe.org/blog/tag/release