Django REST framework

Vulnerability Instance

Lookup for vulnerabilities affecting packages.

Vulnerability_idVCID-1mvj-w9yw-kyac
Summary
View permissions are bypassed for paginated lists of ORM data
### Impact
`canView` permission checks are bypassed for ORM data in paginated GraphQL query results where the total number of records is greater than the number of records per page.

Note that this also affects GraphQL queries which have a limit applied, even if the query isn’t paginated per se.

This has been fixed by ensuring no new records are pulled in from the database after performing `canView` permission checks for each page of results. This may result in some pages in your query results having less than the maximum number of records per page even when there are more pages of results.

This behaviour is consistent with how pagination works in other areas of Silverstripe CMS, such as in `GridField`, and is a result of having to perform permission checks in PHP rather than in the database directly.

You can choose to disable these permission checks by disabling the `CanViewPermission` plugin following the instructions in [overriding default plugins](https://docs.silverstripe.org/en/5/developer_guides/graphql/plugins/overview/#overriding-default-plugins).

Note that this vulnerability does not affect version 3.x.

**Base CVSS:** [5.3](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:F/RL:O/RC:C&version=3.1)
**Reported by:** Eduard Briem from Hothouse Creative, Nelson

### References
https://www.silverstripe.org/download/security-releases/CVE-2023-44401
Aliases
0
alias CVE-2023-44401
1
alias GHSA-jgph-w8rh-xf5p
Fixed_packages
0
url pkg:composer/silverstripe/graphql@4.3.7
purl pkg:composer/silverstripe/graphql@4.3.7
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/graphql@4.3.7
1
url pkg:composer/silverstripe/graphql@5.1.3
purl pkg:composer/silverstripe/graphql@5.1.3
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/graphql@5.1.3
Affected_packages
0
url pkg:composer/silverstripe/graphql@4.0.0
purl pkg:composer/silverstripe/graphql@4.0.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1mvj-w9yw-kyac
1
vulnerability VCID-zaty-jxqd-hyb4
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/graphql@4.0.0
1
url pkg:composer/silverstripe/graphql@4.0.1
purl pkg:composer/silverstripe/graphql@4.0.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1mvj-w9yw-kyac
1
vulnerability VCID-zaty-jxqd-hyb4
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/graphql@4.0.1
2
url pkg:composer/silverstripe/graphql@4.0.2
purl pkg:composer/silverstripe/graphql@4.0.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1mvj-w9yw-kyac
1
vulnerability VCID-zaty-jxqd-hyb4
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/graphql@4.0.2
3
url pkg:composer/silverstripe/graphql@4.1.0-beta1
purl pkg:composer/silverstripe/graphql@4.1.0-beta1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1mvj-w9yw-kyac
1
vulnerability VCID-zaty-jxqd-hyb4
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/graphql@4.1.0-beta1
4
url pkg:composer/silverstripe/graphql@4.1.0-rc1
purl pkg:composer/silverstripe/graphql@4.1.0-rc1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1mvj-w9yw-kyac
1
vulnerability VCID-zaty-jxqd-hyb4
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/graphql@4.1.0-rc1
5
url pkg:composer/silverstripe/graphql@4.1.0
purl pkg:composer/silverstripe/graphql@4.1.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1mvj-w9yw-kyac
1
vulnerability VCID-zaty-jxqd-hyb4
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/graphql@4.1.0
6
url pkg:composer/silverstripe/graphql@4.1.1
purl pkg:composer/silverstripe/graphql@4.1.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1mvj-w9yw-kyac
1
vulnerability VCID-688j-23f6-hbhj
2
vulnerability VCID-zaty-jxqd-hyb4
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/graphql@4.1.1
7
url pkg:composer/silverstripe/graphql@4.1.2
purl pkg:composer/silverstripe/graphql@4.1.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1mvj-w9yw-kyac
1
vulnerability VCID-zaty-jxqd-hyb4
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/graphql@4.1.2
8
url pkg:composer/silverstripe/graphql@4.1.3
purl pkg:composer/silverstripe/graphql@4.1.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1mvj-w9yw-kyac
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/graphql@4.1.3
9
url pkg:composer/silverstripe/graphql@4.2.0
purl pkg:composer/silverstripe/graphql@4.2.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1mvj-w9yw-kyac
1
vulnerability VCID-zaty-jxqd-hyb4
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/graphql@4.2.0
10
url pkg:composer/silverstripe/graphql@4.2.1
purl pkg:composer/silverstripe/graphql@4.2.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1mvj-w9yw-kyac
1
vulnerability VCID-zaty-jxqd-hyb4
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/graphql@4.2.1
11
url pkg:composer/silverstripe/graphql@4.2.2
purl pkg:composer/silverstripe/graphql@4.2.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1mvj-w9yw-kyac
1
vulnerability VCID-688j-23f6-hbhj
2
vulnerability VCID-zaty-jxqd-hyb4
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/graphql@4.2.2
12
url pkg:composer/silverstripe/graphql@4.2.3
purl pkg:composer/silverstripe/graphql@4.2.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1mvj-w9yw-kyac
1
vulnerability VCID-zaty-jxqd-hyb4
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/graphql@4.2.3
13
url pkg:composer/silverstripe/graphql@4.2.4
purl pkg:composer/silverstripe/graphql@4.2.4
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1mvj-w9yw-kyac
1
vulnerability VCID-zaty-jxqd-hyb4
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/graphql@4.2.4
14
url pkg:composer/silverstripe/graphql@4.2.5
purl pkg:composer/silverstripe/graphql@4.2.5
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1mvj-w9yw-kyac
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/graphql@4.2.5
15
url pkg:composer/silverstripe/graphql@4.3.0-rc1
purl pkg:composer/silverstripe/graphql@4.3.0-rc1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1mvj-w9yw-kyac
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/graphql@4.3.0-rc1
16
url pkg:composer/silverstripe/graphql@4.3.0
purl pkg:composer/silverstripe/graphql@4.3.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1mvj-w9yw-kyac
1
vulnerability VCID-zaty-jxqd-hyb4
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/graphql@4.3.0
17
url pkg:composer/silverstripe/graphql@4.3.1
purl pkg:composer/silverstripe/graphql@4.3.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1mvj-w9yw-kyac
1
vulnerability VCID-zaty-jxqd-hyb4
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/graphql@4.3.1
18
url pkg:composer/silverstripe/graphql@4.3.2
purl pkg:composer/silverstripe/graphql@4.3.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1mvj-w9yw-kyac
1
vulnerability VCID-zaty-jxqd-hyb4
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/graphql@4.3.2
19
url pkg:composer/silverstripe/graphql@4.3.3
purl pkg:composer/silverstripe/graphql@4.3.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1mvj-w9yw-kyac
1
vulnerability VCID-zaty-jxqd-hyb4
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/graphql@4.3.3
20
url pkg:composer/silverstripe/graphql@4.3.4
purl pkg:composer/silverstripe/graphql@4.3.4
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1mvj-w9yw-kyac
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/graphql@4.3.4
21
url pkg:composer/silverstripe/graphql@4.3.5
purl pkg:composer/silverstripe/graphql@4.3.5
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1mvj-w9yw-kyac
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/graphql@4.3.5
22
url pkg:composer/silverstripe/graphql@4.3.6
purl pkg:composer/silverstripe/graphql@4.3.6
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1mvj-w9yw-kyac
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/graphql@4.3.6
23
url pkg:composer/silverstripe/graphql@5.0.0
purl pkg:composer/silverstripe/graphql@5.0.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1mvj-w9yw-kyac
1
vulnerability VCID-zaty-jxqd-hyb4
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/graphql@5.0.0
24
url pkg:composer/silverstripe/graphql@5.0.1
purl pkg:composer/silverstripe/graphql@5.0.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1mvj-w9yw-kyac
1
vulnerability VCID-zaty-jxqd-hyb4
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/graphql@5.0.1
25
url pkg:composer/silverstripe/graphql@5.0.2
purl pkg:composer/silverstripe/graphql@5.0.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1mvj-w9yw-kyac
1
vulnerability VCID-zaty-jxqd-hyb4
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/graphql@5.0.2
26
url pkg:composer/silverstripe/graphql@5.0.3
purl pkg:composer/silverstripe/graphql@5.0.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1mvj-w9yw-kyac
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/graphql@5.0.3
27
url pkg:composer/silverstripe/graphql@5.1.0-beta1
purl pkg:composer/silverstripe/graphql@5.1.0-beta1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1mvj-w9yw-kyac
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/graphql@5.1.0-beta1
28
url pkg:composer/silverstripe/graphql@5.1.0-rc1
purl pkg:composer/silverstripe/graphql@5.1.0-rc1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1mvj-w9yw-kyac
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/graphql@5.1.0-rc1
29
url pkg:composer/silverstripe/graphql@5.1.0
purl pkg:composer/silverstripe/graphql@5.1.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1mvj-w9yw-kyac
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/graphql@5.1.0
30
url pkg:composer/silverstripe/graphql@5.1.1
purl pkg:composer/silverstripe/graphql@5.1.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1mvj-w9yw-kyac
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/graphql@5.1.1
31
url pkg:composer/silverstripe/graphql@5.1.2
purl pkg:composer/silverstripe/graphql@5.1.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1mvj-w9yw-kyac
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/graphql@5.1.2
References
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2023-44401
reference_id
reference_type
scores
0
value 0.00187
scoring_system epss
scoring_elements 0.40224
published_at 2026-05-15T12:55:00Z
1
value 0.00187
scoring_system epss
scoring_elements 0.40545
published_at 2026-04-12T12:55:00Z
2
value 0.00187
scoring_system epss
scoring_elements 0.40526
published_at 2026-04-13T12:55:00Z
3
value 0.00187
scoring_system epss
scoring_elements 0.40574
published_at 2026-04-16T12:55:00Z
4
value 0.00187
scoring_system epss
scoring_elements 0.40543
published_at 2026-04-18T12:55:00Z
5
value 0.00187
scoring_system epss
scoring_elements 0.40467
published_at 2026-04-21T12:55:00Z
6
value 0.00187
scoring_system epss
scoring_elements 0.40365
published_at 2026-04-24T12:55:00Z
7
value 0.00187
scoring_system epss
scoring_elements 0.40352
published_at 2026-04-26T12:55:00Z
8
value 0.00187
scoring_system epss
scoring_elements 0.40272
published_at 2026-04-29T12:55:00Z
9
value 0.00187
scoring_system epss
scoring_elements 0.40133
published_at 2026-05-05T12:55:00Z
10
value 0.00187
scoring_system epss
scoring_elements 0.402
published_at 2026-05-07T12:55:00Z
11
value 0.00187
scoring_system epss
scoring_elements 0.40218
published_at 2026-05-09T12:55:00Z
12
value 0.00187
scoring_system epss
scoring_elements 0.40121
published_at 2026-05-11T12:55:00Z
13
value 0.00187
scoring_system epss
scoring_elements 0.40145
published_at 2026-05-12T12:55:00Z
14
value 0.00187
scoring_system epss
scoring_elements 0.40212
published_at 2026-05-14T12:55:00Z
15
value 0.00187
scoring_system epss
scoring_elements 0.40552
published_at 2026-04-08T12:55:00Z
16
value 0.00187
scoring_system epss
scoring_elements 0.4058
published_at 2026-04-04T12:55:00Z
17
value 0.00187
scoring_system epss
scoring_elements 0.40501
published_at 2026-04-07T12:55:00Z
18
value 0.00187
scoring_system epss
scoring_elements 0.40562
published_at 2026-04-09T12:55:00Z
19
value 0.00187
scoring_system epss
scoring_elements 0.40582
published_at 2026-04-11T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2023-44401
1
reference_url https://github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/graphql/CVE-2023-44401.yaml
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/graphql/CVE-2023-44401.yaml
2
reference_url https://github.com/silverstripe/silverstripe-graphql
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/silverstripe/silverstripe-graphql
3
reference_url https://github.com/silverstripe/silverstripe-graphql/security/advisories/GHSA-jgph-w8rh-xf5p
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-01-23T14:40:17Z/
url https://github.com/silverstripe/silverstripe-graphql/security/advisories/GHSA-jgph-w8rh-xf5p
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-44401
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2023-44401
5
reference_url https://www.silverstripe.org/download/security-releases/CVE-2023-44401
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-01-23T14:40:17Z/
url https://www.silverstripe.org/download/security-releases/CVE-2023-44401
6
reference_url https://github.com/advisories/GHSA-jgph-w8rh-xf5p
reference_id GHSA-jgph-w8rh-xf5p
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-jgph-w8rh-xf5p
Weaknesses
0
cwe_id 863
name Incorrect Authorization
description The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.
1
cwe_id 1035
name OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
description Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017.
2
cwe_id 937
name OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
description Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013.
Exploits
Severity_range_score4.0 - 6.9
Exploitability0.5
Weighted_severity6.2
Risk_score3.1
Resource_urlhttp://public2.vulnerablecode.io/vulnerabilities/VCID-1mvj-w9yw-kyac