CVE-2021-35970
📋 TL;DR
CVE-2021-35970 is an information disclosure vulnerability in Coral Talk's GraphQL API where incorrect data type usage in permission checks allows unauthorized access to sensitive user information. Attackers can exploit this to discover email addresses and other personal data. All Coral Talk instances running vulnerable versions are affected.
💻 Affected Systems
- Coral Talk
📦 What is this software?
Coral Talk by Voxmedia
⚠️ Risk & Real-World Impact
Worst Case
Complete exposure of all user email addresses and sensitive profile information, potentially leading to targeted phishing campaigns, identity theft, or credential stuffing attacks.
Likely Case
Unauthorized access to email addresses and user profile data, enabling spam campaigns and privacy violations.
If Mitigated
Limited exposure if GraphQL endpoints are restricted or additional authentication layers are implemented.
🎯 Exploit Status
Exploitation requires sending crafted GraphQL queries to vulnerable endpoints. No authentication needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.12.1
Vendor Advisory: https://github.com/coralproject/talk/releases/tag/v4.12.1
Restart Required: Yes
Instructions:
1. Backup your current installation. 2. Update to Coral Talk version 4.12.1 or later. 3. Restart the Coral Talk service. 4. Verify the update was successful.
🔧 Temporary Workarounds
Restrict GraphQL API Access
linuxImplement network-level restrictions to limit access to GraphQL endpoints.
# Example firewall rule (iptables):
iptables -A INPUT -p tcp --dport 3000 -s trusted_network -j ACCEPT
iptables -A INPUT -p tcp --dport 3000 -j DROP
Implement API Gateway Rate Limiting
allAdd rate limiting to GraphQL endpoints to reduce enumeration capabilities.
# Example nginx configuration:
limit_req_zone $binary_remote_addr zone=graphql:10m rate=10r/s;
location /graphql {
limit_req zone=graphql burst=20 nodelay;
proxy_pass http://localhost:3000;
}
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Coral Talk instances from untrusted networks.
- Deploy a Web Application Firewall (WAF) with GraphQL-specific rules to block malicious queries.
🔍 How to Verify
Check if Vulnerable:
Check if Coral Talk version is below 4.12.1. Attempt to query sensitive user fields via GraphQL without proper authentication.Check Version:
Check Coral Talk admin panel or run: node -e "console.log(require('./package.json').version)" in Coral Talk directoryVerify Fix Applied:
After updating to 4.12.1+, verify that unauthorized GraphQL queries for sensitive user data return permission errors.📡 Detection & Monitoring
Log Indicators:
- Unusual GraphQL query patterns for user data
- Multiple failed authentication attempts followed by GraphQL queries
- Requests to /graphql endpoint with user-related query fields
Network Indicators:
- High volume of GraphQL queries from single IPs
- GraphQL introspection queries from unauthorized sources
SIEM Query:
source="coral_talk.logs" AND (uri_path="/graphql" AND (query_contains="email" OR query_contains="user")) AND NOT user_authenticated=true🔗 References
- https://docs.coralproject.net/coral/api/graphql/#User
- https://github.com/coralproject/talk/compare/v4.12.0...v4.12.1
- https://github.com/coralproject/talk/issues/3600
- https://github.com/coralproject/talk/pull/3599
- https://docs.coralproject.net/coral/api/graphql/#User
- https://github.com/coralproject/talk/compare/v4.12.0...v4.12.1
- https://github.com/coralproject/talk/issues/3600
- https://github.com/coralproject/talk/pull/3599
