PT-2023-27902 · Unknown · Apollo Router
Nmoutschen
·
Published
2023-09-05
·
Updated
2023-09-08
·
CVE-2023-41317
CVSS v3.1
7.5
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
Name of the Vulnerable Software and Affected Versions
Apollo Router versions 1.28.0 through 1.29.0
Description
The Apollo Router is subject to a Denial-of-Service (DoS) type vulnerability which causes the Router to panic and terminate when GraphQL Subscriptions are enabled. This can be triggered when all of the following conditions are met:
- Running an impacted version of Apollo Router;
- The Supergraph schema has a
subscriptiontype with root-fields defined; - The YAML configuration has subscriptions enabled;
- An anonymous
subscriptionoperation is received by the Router. There is no data-privacy risk or sensitive-information exposure aspect to this vulnerability.
Recommendations
For Apollo Router versions 1.28.0 through 1.29.0, update to version 1.29.1 to resolve the issue.
As a temporary workaround, consider disabling subscriptions if they are not necessary for your Graph.
Exploit
Fix
Improper Handling of Exceptional Conditions
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Apollo Router