CVE-2021-47715

Exploit

EPSS 0.05%
Veröffentlicht 22.12.2025 21:35:25
Zuletzt bearbeitet 26.12.2025 16:57:55
Quelle disclosure@vulncheck.com
CVE-Watchlists
Login
Unerledigt
Login

Hasura GraphQL 1.3.3 contains a server-side request forgery vulnerability that allows attackers to inject arbitrary remote schema URLs through the add_remote_schema endpoint. Attackers can exploit the vulnerability by sending crafted POST requests to the /v1/query endpoint with malicious URL definitions to potentially access internal network resources.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 6

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Hasura ≫ Graphql Engine Version1.3.3

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.05%	0.157

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
disclosure@vulncheck.com	6.9	0	0	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
disclosure@vulncheck.com	5.3	3.9	1.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CWE-918 Server-Side Request Forgery (SSRF)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

https://github.com/hasura/graphql-engine

Product

https://www.exploit-db.com/exploits/49791

Exploit

https://www.vulncheck.com/advisories/hasura-graphql-server-side-request-forgery-via-remote-schema-injection

Third Party Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2021-47715

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2021-47715

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2021-47715

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2021-47715