Security Advisory IBEXA-SA-2021-008: GraphQL authentication doesn't respect security config

Publication date: 26/10/2021, 07:40

Severity: Medium

Affected versions: v2.3.*
Resolving versions: v2.3.3.1

This Security Advisory is about a vulnerability in GraphQL authentication. GraphQL allows you to configure alternative user checkers (login handlers), but these are not recognized on login, the standard handler is always used. This means that for example login by email will not work, even if the handler for this is enabled. It also means that login by username will work, even if this is disabled. This constitutes a risk when this behaviour is unexpected and unwanted. The fix ensures that the configured user checker is used.

Have you found a security bug in Ibexa DXP? See how to report it responsibly here: https://doc.ibexa.co/en/latest/guide/reporting_issues/

All security advisories

Tech blog

Get started with Ibexa DXP

Tutorials

Training

Slack

GitHub

Product roadmap

Community packages

REST API reference

GraphQL API docs

Product security at Ibexa

Security Advisories

Software service life

Issue tracker

Security advisory: IBEXA-SA-2021-008

GraphQL authentication doesn't respect security config