CVE-2023-28104

Name of the Vulnerable Software and Affected Versions silverstripe/graphql versions 4.1.1 through 4.2.2

Description The issue allows an attacker to execute a denial of service attack against a website with a publicly exposed GraphQL endpoint using a specially crafted GraphQL query. This mostly affects websites with particularly large or complex GraphQL schemas. If the Silverstripe CMS project does not expose a public-facing GraphQL schema, a user account is required to trigger the attack. Hosting the site behind a content delivery network (CDN) may further mitigate the risk.

Recommendations For versions 4.1.1 and 4.2.2, upgrade to silverstripe/graphql 4.1.2 or 4.2.3 to remedy the vulnerability. As a temporary workaround, consider restricting access to the publicly exposed GraphQL endpoint until the issue is resolved. If the site is hosted behind a CDN, ensure the CDN configuration is up-to-date to maximize the mitigation of the risk.