Description

Your web application is running with GraphQL Field Suggestions enabled in a production environment.

GraphQL Field Suggestions is a feature that provides clients with suggested field names when an invalid or non-existent field is queried. This feature can help developers identify available fields and navigate the API more effectively.

However, in a production environment, exposing field suggestions may pose a security risk, as attackers could use the suggested field names to gather information about the API's structure and potentially craft targeted attacks, exploit other vulnerabilities, or gain unauthorized access to protected resources. It is essential to disable or restrict access to field suggestions in production environments to prevent unauthorized access and information leakage.

Remediation

Disable Field Suggestions: Ensure that GraphQL Field Suggestions are disabled or restricted in production environments. Keep this feature enabled only in development or staging environments where access is limited to authorized personnel.

Related Vulnerabilities

Unprotected Apache NiFi API interface

WordPress 4.8.x Multiple Vulnerabilities (4.8 - 4.8.22)

WordPress Plugin Customize WordPress Emails and Alerts-Better Notifications for WP Information Disclosure (1.8.6)

Grails database console

Piwigo Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2017-10679)

Severity

Medium

Classification

CWE-200 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Tags

Configuration Information Disclosure