CVE-2023-40180

Name of the Vulnerable Software and Affected Versions silverstripe-graphql versions prior to 3.8.2 silverstripe-graphql versions prior to 4.1.3 silverstripe-graphql versions prior to 4.2.5 silverstripe-graphql versions prior to 4.3.4 silverstripe-graphql versions prior to 5.0.3

Description The issue affects silverstripe-graphql, a package that serves Silverstripe data in GraphQL representations. An attacker could use a recursive GraphQL query to execute a Distributed Denial of Service (DDOS) attack against a website. This mostly affects websites with publicly exposed GraphQL schemas. If the Silverstripe CMS project does not expose a public-facing GraphQL schema, a user account is required to trigger the DDOS attack. Hosting the site behind a content delivery network (CDN), such as Imperva or CloudFlare, may further mitigate the risk.

Recommendations For versions prior to 3.8.2, upgrade to version 3.8.2 or later. For versions prior to 4.1.3, upgrade to version 4.1.3 or later. For versions prior to 4.2.5, upgrade to version 4.2.5 or later. For versions prior to 4.3.4, upgrade to version 4.3.4 or later. For versions prior to 5.0.3, upgrade to version 5.0.3 or later. As a temporary workaround, consider restricting access to the GraphQL schema to minimize the risk of exploitation.