PT-2023-27902 · Unknown · Apollo Router

Nmoutschen

Publicado

2023-09-05

Atualizado

2023-09-08

CVE-2023-41317

CVSS v3.1

7.5

Alta

Vetor

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Name of the Vulnerable Software and Affected Versions Apollo Router versions 1.28.0 through 1.29.0

Description The Apollo Router is subject to a Denial-of-Service (DoS) type vulnerability which causes the Router to panic and terminate when GraphQL Subscriptions are enabled. This can be triggered when all of the following conditions are met:

Running an impacted version of Apollo Router;
The Supergraph schema has a subscription type with root-fields defined;
The YAML configuration has subscriptions enabled;
An anonymous subscription operation is received by the Router. There is no data-privacy risk or sensitive-information exposure aspect to this vulnerability.

Recommendations For Apollo Router versions 1.28.0 through 1.29.0, update to version 1.29.1 to resolve the issue. As a temporary workaround, consider disabling subscriptions if they are not necessary for your Graph.

Exploit

Correção

Improper Handling of Exceptional Conditions

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-755

Identificadores relacionados

CVE-2023-41317

GHSA-W8VQ-3HF9-XPPX

Produtos afetados

Apollo Router

PT-2023-27902 · Unknown · Apollo Router

CVE-2023-41317

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 12