Vulnerabilites related to apollographql - apollo_router
CVE-2023-45812 (GCVE-0-2023-45812)
Vulnerability from cvelistv5
Published
2023-10-18 21:29
Modified
2024-09-13 15:02
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-754 - Improper Check for Unusual or Exceptional Conditions
Summary
The Apollo Router is a configurable, high-performance graph router written in Rust to run a federated supergraph that uses Apollo Federation. Affected versions are subject to a Denial-of-Service (DoS) type vulnerability which causes the Router to panic and terminate when a multi-part response is sent. When users send queries to the router that uses the `@defer` or Subscriptions, the Router will panic. To be vulnerable, users of Router must have a coprocessor with `coprocessor.supergraph.response` configured in their `router.yaml` and also to support either `@defer` or Subscriptions. Apollo Router version 1.33.0 has a fix for this vulnerability which was introduced in PR #4014. Users are advised to upgrade. Users unable to upgrade should avoid using the coprocessor supergraph response or disable defer and subscriptions support and continue to use the coprocessor supergraph response.
References
| ► | URL | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| apollographql | router |
Version: >= 1.31.0, < 1.33.0 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T20:29:32.278Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/apollographql/router/security/advisories/GHSA-r344-xw3p-2frj",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/apollographql/router/security/advisories/GHSA-r344-xw3p-2frj"
},
{
"name": "https://github.com/apollographql/router/pull/4014",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/apollographql/router/pull/4014"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apollographql:apollo_router:1.31.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "apollo_router",
"vendor": "apollographql",
"versions": [
{
"lessThanOrEqual": "1.33.0",
"status": "affected",
"version": "1.31.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-45812",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-13T14:58:32.929626Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-13T15:02:17.414Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "router",
"vendor": "apollographql",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.31.0, \u003c 1.33.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The Apollo Router is a configurable, high-performance graph router written in Rust to run a federated supergraph that uses Apollo Federation. Affected versions are subject to a Denial-of-Service (DoS) type vulnerability which causes the Router to panic and terminate when a multi-part response is sent. When users send queries to the router that uses the `@defer` or Subscriptions, the Router will panic. To be vulnerable, users of Router must have a coprocessor with `coprocessor.supergraph.response` configured in their `router.yaml` and also to support either `@defer` or Subscriptions. Apollo Router version 1.33.0 has a fix for this vulnerability which was introduced in PR #4014. Users are advised to upgrade. Users unable to upgrade should avoid using the coprocessor supergraph response or disable defer and subscriptions support and continue to use the coprocessor supergraph response."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-754",
"description": "CWE-754: Improper Check for Unusual or Exceptional Conditions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-18T21:29:32.731Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/apollographql/router/security/advisories/GHSA-r344-xw3p-2frj",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/apollographql/router/security/advisories/GHSA-r344-xw3p-2frj"
},
{
"name": "https://github.com/apollographql/router/pull/4014",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/apollographql/router/pull/4014"
}
],
"source": {
"advisory": "GHSA-r344-xw3p-2frj",
"discovery": "UNKNOWN"
},
"title": "Improper Check or Handling of Exceptional Conditions in apollo-router"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-45812",
"datePublished": "2023-10-18T21:29:32.731Z",
"dateReserved": "2023-10-13T12:00:50.437Z",
"dateUpdated": "2024-09-13T15:02:17.414Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-43783 (GCVE-0-2024-43783)
Vulnerability from cvelistv5
Published
2024-08-27 17:16
Modified
2024-08-27 18:06
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-770 - Allocation of Resources Without Limits or Throttling
Summary
The Apollo Router Core is a configurable, high-performance graph router written in Rust to run a federated supergraph that uses Apollo Federation 2. Instances of the Apollo Router running versions >=1.21.0 and < 1.52.1 are impacted by a denial of service vulnerability if _all_ of the following are true: 1. The Apollo Router has been configured to support [External Coprocessing](https://www.apollographql.com/docs/router/customizations/coprocessor). 2. The Apollo Router has been configured to send request bodies to coprocessors. This is a non-default configuration and must be configured intentionally by administrators. Instances of the Apollo Router running versions >=1.7.0 and <1.52.1 are impacted by a denial-of-service vulnerability if all of the following are true: 1. Router has been configured to use a custom-developed Native Rust Plugin. 2. The plugin accesses Request.router_request in the RouterService layer. 3. You are accumulating the body from Request.router_request into memory. If using an impacted configuration, the Router will load entire HTTP request bodies into memory without respect to other HTTP request size-limiting configurations like limits.http_max_request_bytes. This can cause the Router to be out-of-memory (OOM) terminated if a sufficiently large request is sent to the Router. By default, the Router sets limits.http_max_request_bytes to 2 MB. If you have an impacted configuration as defined above, please upgrade to at least Apollo Router 1.52.1. If you cannot upgrade, you can mitigate the denial-of-service opportunity impacting External Coprocessors by setting the coprocessor.router.request.body configuration option to false. Please note that changing this configuration option will change the information sent to any coprocessors you have configured and may impact functionality implemented by those coprocessors. If you have developed a Native Rust Plugin and cannot upgrade, you can update your plugin to either not accumulate the request body or enforce a maximum body size limit. You can also mitigate this issue by limiting HTTP body payload sizes prior to the Router (e.g., in a proxy or web application firewall appliance).
References
| ► | URL | Tags | ||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| apollographql | router |
Version: >=1.7.0, < 1.52.1 |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apollographql:apollo_router:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "apollo_router",
"vendor": "apollographql",
"versions": [
{
"lessThan": "1.52.1",
"status": "affected",
"version": "1.7.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-43783",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-27T18:04:15.713167Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-27T18:06:45.142Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "router",
"vendor": "apollographql",
"versions": [
{
"status": "affected",
"version": "\u003e=1.7.0, \u003c 1.52.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The Apollo Router Core is a configurable, high-performance graph router written in Rust to run a federated supergraph that uses Apollo Federation 2. Instances of the Apollo Router running versions \u003e=1.21.0 and \u003c 1.52.1 are impacted by a denial of service vulnerability if _all_ of the following are true: 1. The Apollo Router has been configured to support [External Coprocessing](https://www.apollographql.com/docs/router/customizations/coprocessor). 2. The Apollo Router has been configured to send request bodies to coprocessors. This is a non-default configuration and must be configured intentionally by administrators. Instances of the Apollo Router running versions \u003e=1.7.0 and \u003c1.52.1 are impacted by a denial-of-service vulnerability if all of the following are true: 1. Router has been configured to use a custom-developed Native Rust Plugin. 2. The plugin accesses Request.router_request in the RouterService layer. 3. You are accumulating the body from Request.router_request into memory. If using an impacted configuration, the Router will load entire HTTP request bodies into memory without respect to other HTTP request size-limiting configurations like limits.http_max_request_bytes. This can cause the Router to be out-of-memory (OOM) terminated if a sufficiently large request is sent to the Router. By default, the Router sets limits.http_max_request_bytes to 2 MB. If you have an impacted configuration as defined above, please upgrade to at least Apollo Router 1.52.1. If you cannot upgrade, you can mitigate the denial-of-service opportunity impacting External Coprocessors by setting the coprocessor.router.request.body configuration option to false. Please note that changing this configuration option will change the information sent to any coprocessors you have configured and may impact functionality implemented by those coprocessors. If you have developed a Native Rust Plugin and cannot upgrade, you can update your plugin to either not accumulate the request body or enforce a maximum body size limit. You can also mitigate this issue by limiting HTTP body payload sizes prior to the Router (e.g., in a proxy or web application firewall appliance)."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770: Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-27T17:16:28.571Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/apollographql/router/security/advisories/GHSA-x6xq-whh3-gg32",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/apollographql/router/security/advisories/GHSA-x6xq-whh3-gg32"
},
{
"name": "https://github.com/apollographql/router/commit/7a9c020608a62dcaa306b72ed0f6980f15923b14",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/apollographql/router/commit/7a9c020608a62dcaa306b72ed0f6980f15923b14"
},
{
"name": "https://github.com/apollographql/router/releases/tag/v1.52.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/apollographql/router/releases/tag/v1.52.1"
},
{
"name": "https://www.apollographql.com/docs/router/configuration/overview/#request-limits",
"tags": [
"x_refsource_MISC"
],
"url": "https://www.apollographql.com/docs/router/configuration/overview/#request-limits"
},
{
"name": "https://www.apollographql.com/docs/router/customizations/coprocessor",
"tags": [
"x_refsource_MISC"
],
"url": "https://www.apollographql.com/docs/router/customizations/coprocessor"
},
{
"name": "https://www.apollographql.com/docs/router/customizations/native",
"tags": [
"x_refsource_MISC"
],
"url": "https://www.apollographql.com/docs/router/customizations/native"
}
],
"source": {
"advisory": "GHSA-x6xq-whh3-gg32",
"discovery": "UNKNOWN"
},
"title": "Apollo Router Coprocessors may cause Denial-of-Service when handling request bodies"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-43783",
"datePublished": "2024-08-27T17:16:28.571Z",
"dateReserved": "2024-08-16T14:20:37.323Z",
"dateUpdated": "2024-08-27T18:06:45.142Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-41317 (GCVE-0-2023-41317)
Vulnerability from cvelistv5
Published
2023-09-05 18:31
Modified
2024-09-30 19:17
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-755 - Improper Handling of Exceptional Conditions
Summary
The Apollo Router is a configurable, high-performance graph router written in Rust to run a federated supergraph that uses Apollo Federation 2. Affected versions are subject to a Denial-of-Service (DoS) type vulnerability which causes the Router to panic and terminate when GraphQL Subscriptions are enabled. It can be triggered when **all of the following conditions are met**: 1. Running Apollo Router v1.28.0, v1.28.1 or v1.29.0 ("impacted versions"); **and** 2. The Supergraph schema provided to the Router (either via Apollo Uplink or explicitly via other configuration) **has a `subscription` type** with root-fields defined; **and** 3. The YAML configuration provided to the Router **has subscriptions enabled** (they are _disabled_ by default), either by setting `enabled: true` _or_ by setting a valid `mode` within the `subscriptions` object (as seen in [subscriptions' documentation](https://www.apollographql.com/docs/router/executing-operations/subscription-support/#router-setup)); **and** 4. An [anonymous](https://spec.graphql.org/draft/#sec-Anonymous-Operation-Definitions) (i.e., un-named) `subscription` operation (e.g., `subscription { ... }`) is received by the Router If **all four** of these criteria are met, the impacted versions will panic and terminate. There is no data-privacy risk or sensitive-information exposure aspect to this vulnerability. This is fixed in Apollo Router v1.29.1. Users are advised to upgrade. Updating to v1.29.1 should be a clear and simple upgrade path for those running impacted versions. However, if Subscriptions are **not** necessary for your Graph – but are enabled via configuration — then disabling subscriptions is another option to mitigate the risk.
References
| ► | URL | Tags |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| apollographql | router |
Version: >= 1.28.0, < 1.29.1 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T18:54:05.149Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/apollographql/router/security/advisories/GHSA-w8vq-3hf9-xppx",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/apollographql/router/security/advisories/GHSA-w8vq-3hf9-xppx"
},
{
"name": "https://github.com/apollographql/router/commit/b295c103dd86c57c848397d32e8094edfa8502aa",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/apollographql/router/commit/b295c103dd86c57c848397d32e8094edfa8502aa"
},
{
"name": "https://github.com/apollographql/router/releases/tag/v1.29.1",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/apollographql/router/releases/tag/v1.29.1"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-41317",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-30T19:17:04.266143Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-30T19:17:12.220Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "router",
"vendor": "apollographql",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.28.0, \u003c 1.29.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The Apollo Router is a configurable, high-performance graph router written in Rust to run a federated supergraph that uses Apollo Federation 2. Affected versions are subject to a Denial-of-Service (DoS) type vulnerability which causes the Router to panic and terminate when GraphQL Subscriptions are enabled. It can be triggered when **all of the following conditions are met**: 1. Running Apollo Router v1.28.0, v1.28.1 or v1.29.0 (\"impacted versions\"); **and** 2. The Supergraph schema provided to the Router (either via Apollo Uplink or explicitly via other configuration)\u00a0**has a `subscription` type** with root-fields defined; **and** 3. The YAML configuration provided to the Router **has subscriptions enabled** (they are _disabled_ by default), either by setting `enabled: true` _or_ by setting a valid `mode` within the `subscriptions` object (as seen in [subscriptions\u0027 documentation](https://www.apollographql.com/docs/router/executing-operations/subscription-support/#router-setup)); **and** 4. An [anonymous](https://spec.graphql.org/draft/#sec-Anonymous-Operation-Definitions) (i.e., un-named) `subscription` operation (e.g., `subscription { ... }`) is received by the Router If **all four** of these criteria are met, the impacted versions will panic and terminate. There is no data-privacy risk or sensitive-information exposure aspect to this vulnerability. This is fixed in Apollo Router v1.29.1. Users are advised to upgrade. Updating to v1.29.1 should be a clear and simple upgrade path for those running impacted versions. However, if Subscriptions are **not** necessary for your Graph \u2013 but are enabled via configuration \u2014 then disabling subscriptions is another option to mitigate the risk."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-755",
"description": "CWE-755: Improper Handling of Exceptional Conditions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-09-05T18:31:43.185Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/apollographql/router/security/advisories/GHSA-w8vq-3hf9-xppx",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/apollographql/router/security/advisories/GHSA-w8vq-3hf9-xppx"
},
{
"name": "https://github.com/apollographql/router/commit/b295c103dd86c57c848397d32e8094edfa8502aa",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/apollographql/router/commit/b295c103dd86c57c848397d32e8094edfa8502aa"
},
{
"name": "https://github.com/apollographql/router/releases/tag/v1.29.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/apollographql/router/releases/tag/v1.29.1"
}
],
"source": {
"advisory": "GHSA-w8vq-3hf9-xppx",
"discovery": "UNKNOWN"
},
"title": "Unnamed \"Subscription\" operation results in Denial-of-Service in apollographql/router"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-41317",
"datePublished": "2023-09-05T18:31:43.185Z",
"dateReserved": "2023-08-28T16:56:43.365Z",
"dateUpdated": "2024-09-30T19:17:12.220Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-43414 (GCVE-0-2024-43414)
Vulnerability from cvelistv5
Published
2024-08-27 17:20
Modified
2024-08-27 17:58
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-674 - Uncontrolled Recursion
Summary
Apollo Federation is an architecture for declaratively composing APIs into a unified graph. Each team can own their slice of the graph independently, empowering them to deliver autonomously and incrementally. Instances of @apollo/query-planner >=2.0.0 and <2.8.5 are impacted by a denial-of-service vulnerability. @apollo/gateway versions >=2.0.0 and < 2.8.5 and Apollo Router <1.52.1 are also impacted through their use of @apollo/query-panner. If @apollo/query-planner is asked to plan a sufficiently complex query, it may loop infinitely and never complete. This results in unbounded memory consumption and either a crash or out-of-memory (OOM) termination. This issue can be triggered if you have at least one non-@key field that can be resolved by multiple subgraphs. To identify these shared fields, the schema for each subgraph must be reviewed. The mechanism to identify shared fields varies based on the version of Federation your subgraphs are using. You can check if your subgraphs are using Federation 1 or Federation 2 by reviewing their schemas. Federation 2 subgraph schemas will contain a @link directive referencing the version of Federation being used while Federation 1 subgraphs will not. For example, in a Federation 2 subgraph, you will find a line like @link(url: "https://specs.apollo.dev/federation/v2.0"). If a similar @link directive is not present in your subgraph schema, it is using Federation 1. Note that a supergraph can contain a mix of Federation 1 and Federation 2 subgraphs. This issue results from the Apollo query planner attempting to use a Number exceeding Javascript’s Number.MAX_VALUE in some cases. In Javascript, Number.MAX_VALUE is (2^1024 - 2^971). When the query planner receives an inbound graphql request, it breaks the query into pieces and for each piece, generates a list of potential execution steps to solve the piece. These candidates represent the steps that the query planner will take to satisfy the pieces of the larger query. As part of normal operations, the query planner requires and calculates the number of possible query plans for the total query. That is, it needs the product of the number of query plan candidates for each piece of the query. Under normal circumstances, after generating all query plan candidates and calculating the number of all permutations, the query planner moves on to stack rank candidates and prune less-than-optimal options. In particularly complex queries, especially those where fields can be solved through multiple subgraphs, this can cause the number of all query plan permutations to balloon. In worst-case scenarios, this can end up being a number larger than Number.MAX_VALUE. In Javascript, if Number.MAX_VALUE is exceeded, Javascript represents the value as “infinity”. If the count of candidates is evaluated as infinity, the component of the query planner responsible for pruning less-than-optimal query plans does not actually prune candidates, causing the query planner to evaluate many orders of magnitude more query plan candidates than necessary. This issue has been addressed in @apollo/query-planner v2.8.5, @apollo/gateway v2.8.5, and Apollo Router v1.52.1. Users are advised to upgrade. This issue can be avoided by ensuring there are no fields resolvable from multiple subgraphs. If all subgraphs are using Federation 2, you can confirm that you are not impacted by ensuring that none of your subgraph schemas use the @shareable directive. If you are using Federation 1 subgraphs, you will need to validate that there are no fields resolvable by multiple subgraphs.
References
| ► | URL | Tags | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| apollographql | federation |
Version: >= 2.0.0, < 2.8.5 Version: < 1.52.1 |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apollographql:federation:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "federation",
"vendor": "apollographql",
"versions": [
{
"lessThan": "2.8.5",
"status": "affected",
"version": "2.0.0",
"versionType": "custom"
},
{
"lessThan": "1.52.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-43414",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-27T17:55:12.961543Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-27T17:58:38.192Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "federation",
"vendor": "apollographql",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.0.0, \u003c 2.8.5"
},
{
"status": "affected",
"version": "\u003c 1.52.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Apollo Federation is an architecture for declaratively composing APIs into a unified graph. Each team can own their slice of the graph independently, empowering them to deliver autonomously and incrementally. Instances of @apollo/query-planner \u003e=2.0.0 and \u003c2.8.5 are impacted by a denial-of-service vulnerability. @apollo/gateway versions \u003e=2.0.0 and \u003c 2.8.5 and Apollo Router \u003c1.52.1 are also impacted through their use of @apollo/query-panner. If @apollo/query-planner is asked to plan a sufficiently complex query, it may loop infinitely and never complete. This results in unbounded memory consumption and either a crash or out-of-memory (OOM) termination. This issue can be triggered if you have at least one non-@key field that can be resolved by multiple subgraphs. To identify these shared fields, the schema for each subgraph must be reviewed. The mechanism to identify shared fields varies based on the version of Federation your subgraphs are using. You can check if your subgraphs are using Federation 1 or Federation 2 by reviewing their schemas. Federation 2 subgraph schemas will contain a @link directive referencing the version of Federation being used while Federation 1 subgraphs will not. For example, in a Federation 2 subgraph, you will find a line like @link(url: \"https://specs.apollo.dev/federation/v2.0\"). If a similar @link directive is not present in your subgraph schema, it is using Federation 1. Note that a supergraph can contain a mix of Federation 1 and Federation 2 subgraphs. This issue results from the Apollo query planner attempting to use a Number exceeding Javascript\u2019s Number.MAX_VALUE in some cases. In Javascript, Number.MAX_VALUE is (2^1024 - 2^971). When the query planner receives an inbound graphql request, it breaks the query into pieces and for each piece, generates a list of potential execution steps to solve the piece. These candidates represent the steps that the query planner will take to satisfy the pieces of the larger query. As part of normal operations, the query planner requires and calculates the number of possible query plans for the total query. That is, it needs the product of the number of query plan candidates for each piece of the query. Under normal circumstances, after generating all query plan candidates and calculating the number of all permutations, the query planner moves on to stack rank candidates and prune less-than-optimal options. In particularly complex queries, especially those where fields can be solved through multiple subgraphs, this can cause the number of all query plan permutations to balloon. In worst-case scenarios, this can end up being a number larger than Number.MAX_VALUE. In Javascript, if Number.MAX_VALUE is exceeded, Javascript represents the value as \u201cinfinity\u201d. If the count of candidates is evaluated as infinity, the component of the query planner responsible for pruning less-than-optimal query plans does not actually prune candidates, causing the query planner to evaluate many orders of magnitude more query plan candidates than necessary. This issue has been addressed in @apollo/query-planner v2.8.5, @apollo/gateway v2.8.5, and Apollo Router v1.52.1. Users are advised to upgrade. This issue can be avoided by ensuring there are no fields resolvable from multiple subgraphs. If all subgraphs are using Federation 2, you can confirm that you are not impacted by ensuring that none of your subgraph schemas use the @shareable directive. If you are using Federation 1 subgraphs, you will need to validate that there are no fields resolvable by multiple subgraphs."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-674",
"description": "CWE-674: Uncontrolled Recursion",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-27T17:20:05.375Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/apollographql/federation/security/advisories/GHSA-fmj9-77q8-g6c4",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/apollographql/federation/security/advisories/GHSA-fmj9-77q8-g6c4"
},
{
"name": "https://www.apollographql.com/docs/federation/query-plans",
"tags": [
"x_refsource_MISC"
],
"url": "https://www.apollographql.com/docs/federation/query-plans"
},
{
"name": "https://www.apollographql.com/docs/router/configuration/persisted-queries",
"tags": [
"x_refsource_MISC"
],
"url": "https://www.apollographql.com/docs/router/configuration/persisted-queries"
}
],
"source": {
"advisory": "GHSA-fmj9-77q8-g6c4",
"discovery": "UNKNOWN"
},
"title": "Apollo Query Planner and Apollo Gateway may infinitely loop on sufficiently complex queries"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-43414",
"datePublished": "2024-08-27T17:20:05.375Z",
"dateReserved": "2024-08-12T18:02:04.967Z",
"dateUpdated": "2024-08-27T17:58:38.192Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Vulnerability from fkie_nvd
Published
2023-09-05 19:15
Modified
2024-11-21 08:21
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5.9 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
5.9 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
The Apollo Router is a configurable, high-performance graph router written in Rust to run a federated supergraph that uses Apollo Federation 2. Affected versions are subject to a Denial-of-Service (DoS) type vulnerability which causes the Router to panic and terminate when GraphQL Subscriptions are enabled. It can be triggered when **all of the following conditions are met**: 1. Running Apollo Router v1.28.0, v1.28.1 or v1.29.0 ("impacted versions"); **and** 2. The Supergraph schema provided to the Router (either via Apollo Uplink or explicitly via other configuration) **has a `subscription` type** with root-fields defined; **and** 3. The YAML configuration provided to the Router **has subscriptions enabled** (they are _disabled_ by default), either by setting `enabled: true` _or_ by setting a valid `mode` within the `subscriptions` object (as seen in [subscriptions' documentation](https://www.apollographql.com/docs/router/executing-operations/subscription-support/#router-setup)); **and** 4. An [anonymous](https://spec.graphql.org/draft/#sec-Anonymous-Operation-Definitions) (i.e., un-named) `subscription` operation (e.g., `subscription { ... }`) is received by the Router If **all four** of these criteria are met, the impacted versions will panic and terminate. There is no data-privacy risk or sensitive-information exposure aspect to this vulnerability. This is fixed in Apollo Router v1.29.1. Users are advised to upgrade. Updating to v1.29.1 should be a clear and simple upgrade path for those running impacted versions. However, if Subscriptions are **not** necessary for your Graph – but are enabled via configuration — then disabling subscriptions is another option to mitigate the risk.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| apollographql | apollo_router | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apollographql:apollo_router:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E16E7795-17A4-44E0-8F0C-0BB23693EBF5",
"versionEndExcluding": "1.29.1",
"versionStartIncluding": "1.28.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Apollo Router is a configurable, high-performance graph router written in Rust to run a federated supergraph that uses Apollo Federation 2. Affected versions are subject to a Denial-of-Service (DoS) type vulnerability which causes the Router to panic and terminate when GraphQL Subscriptions are enabled. It can be triggered when **all of the following conditions are met**: 1. Running Apollo Router v1.28.0, v1.28.1 or v1.29.0 (\"impacted versions\"); **and** 2. The Supergraph schema provided to the Router (either via Apollo Uplink or explicitly via other configuration)\u00a0**has a `subscription` type** with root-fields defined; **and** 3. The YAML configuration provided to the Router **has subscriptions enabled** (they are _disabled_ by default), either by setting `enabled: true` _or_ by setting a valid `mode` within the `subscriptions` object (as seen in [subscriptions\u0027 documentation](https://www.apollographql.com/docs/router/executing-operations/subscription-support/#router-setup)); **and** 4. An [anonymous](https://spec.graphql.org/draft/#sec-Anonymous-Operation-Definitions) (i.e., un-named) `subscription` operation (e.g., `subscription { ... }`) is received by the Router If **all four** of these criteria are met, the impacted versions will panic and terminate. There is no data-privacy risk or sensitive-information exposure aspect to this vulnerability. This is fixed in Apollo Router v1.29.1. Users are advised to upgrade. Updating to v1.29.1 should be a clear and simple upgrade path for those running impacted versions. However, if Subscriptions are **not** necessary for your Graph \u2013 but are enabled via configuration \u2014 then disabling subscriptions is another option to mitigate the risk."
},
{
"lang": "es",
"value": "El Apollo Router es un router gr\u00e1fico configurable y de alto rendimiento escrito en Rust para ejecutar un supergrafo federado que utiliza Apollo Federation 2. Las versiones afectadas est\u00e1n sujetas a una vulnerabilidad de tipo Denegaci\u00f3n de Servicio (DoS) que hace que el Router entre en p\u00e1nico y termine cuando GraphQL Subscriptions est\u00e1 habilitado. Puede activarse cuando **se cumplen todas las condiciones siguientes**: 1. Se ejecuta Apollo Router v1.28.0, v1.28.1 o v1.29.0 (versiones impactadas); **y** 2. El esquema Supergraph proporcionado al router (ya sea a trav\u00e9s de Apollo Uplink o expl\u00edcitamente a trav\u00e9s de otra configuraci\u00f3n) **tiene un tipo \"subscription\"** con campos ra\u00edz definidos; **y** 3. La configuraci\u00f3n YAML proporcionado al router **tiene las suscripciones habilitadas** (est\u00e1n _disabled_ por defecto), ya sea estableciendo \"enabled: true\" o estableciendo un \"mode\" v\u00e1lido dentro del objeto \"subscriptions\" (como se ve en [subscriptions\u0027 documentation](https://www. apollographql.com/docs/router/executing-operations/subscription-support/#router-setup)); **y** 4. Una operaci\u00f3n de \"suscripci\u00f3n\" [an\u00f3nima] (https://spec.graphql.org/draft/#sec-Anonymous-Operation-Definitions) (es decir, (es decir, sin nombre)(por ejemplo, `subscription { ... }`) es recibido por el Router. Si se cumplen **los cuatro** de estos criterios, las versiones afectadas entrar\u00e1n en p\u00e1nico y terminar\u00e1n. Esta vulnerabilidad no supone ning\u00fan riesgo para la privacidad de los datos o la exposici\u00f3n de informaci\u00f3n sensible. Esto se ha solucionado en Apollo Router v1.29.1. Se recomienda a los usuarios que actualicen. La actualizaci\u00f3n a la v1.29.1 deber\u00eda ser una ruta de actualizaci\u00f3n clara y sencilla para aquellos que utilicen las versiones afectadas. Sin embargo, si las Suscripciones **no** son necesarias para su Gr\u00e1fico - pero est\u00e1n habilitadas a trav\u00e9s de la configuraci\u00f3n - entonces deshabilitar las suscripciones es otra opci\u00f3n para mitigar el riesgo. "
}
],
"id": "CVE-2023-41317",
"lastModified": "2024-11-21T08:21:03.507",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-09-05T19:15:48.610",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/apollographql/router/commit/b295c103dd86c57c848397d32e8094edfa8502aa"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/apollographql/router/releases/tag/v1.29.1"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/apollographql/router/security/advisories/GHSA-w8vq-3hf9-xppx"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/apollographql/router/commit/b295c103dd86c57c848397d32e8094edfa8502aa"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://github.com/apollographql/router/releases/tag/v1.29.1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/apollographql/router/security/advisories/GHSA-w8vq-3hf9-xppx"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-755"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-10-18 22:15
Modified
2024-11-21 08:27
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
The Apollo Router is a configurable, high-performance graph router written in Rust to run a federated supergraph that uses Apollo Federation. Affected versions are subject to a Denial-of-Service (DoS) type vulnerability which causes the Router to panic and terminate when a multi-part response is sent. When users send queries to the router that uses the `@defer` or Subscriptions, the Router will panic. To be vulnerable, users of Router must have a coprocessor with `coprocessor.supergraph.response` configured in their `router.yaml` and also to support either `@defer` or Subscriptions. Apollo Router version 1.33.0 has a fix for this vulnerability which was introduced in PR #4014. Users are advised to upgrade. Users unable to upgrade should avoid using the coprocessor supergraph response or disable defer and subscriptions support and continue to use the coprocessor supergraph response.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| apollographql | apollo_router | * | |
| apollographql | apollo_helms-charts_router | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apollographql:apollo_router:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E5CBFBBF-CA05-439F-B7D9-0F0160C90006",
"versionEndIncluding": "1.32.0",
"versionStartIncluding": "1.31.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apollographql:apollo_helms-charts_router:*:*:*:*:*:*:*:*",
"matchCriteriaId": "7E5629BA-4004-4210-B632-6E80CF4383D5",
"versionEndIncluding": "1.32.0",
"versionStartIncluding": "1.31.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Apollo Router is a configurable, high-performance graph router written in Rust to run a federated supergraph that uses Apollo Federation. Affected versions are subject to a Denial-of-Service (DoS) type vulnerability which causes the Router to panic and terminate when a multi-part response is sent. When users send queries to the router that uses the `@defer` or Subscriptions, the Router will panic. To be vulnerable, users of Router must have a coprocessor with `coprocessor.supergraph.response` configured in their `router.yaml` and also to support either `@defer` or Subscriptions. Apollo Router version 1.33.0 has a fix for this vulnerability which was introduced in PR #4014. Users are advised to upgrade. Users unable to upgrade should avoid using the coprocessor supergraph response or disable defer and subscriptions support and continue to use the coprocessor supergraph response."
},
{
"lang": "es",
"value": "Apollo Router es un router de gr\u00e1ficos configurable y de alto rendimiento escrito en Rust para ejecutar un supergrafo federado que utiliza Apollo Federation. Las versiones afectadas est\u00e1n sujetas a una vulnerabilidad de tipo Denegaci\u00f3n de Servicio (DoS) que hace que el Router entre en p\u00e1nico y finalice cuando se env\u00eda una respuesta de varias partes. Cuando los usuarios env\u00edan consultas al Router que utiliza `@defer` o Suscripciones, el Router entrar\u00e1 en p\u00e1nico. Para ser vulnerables, los usuarios de Router deben tener un coprocesador con `coprocessor.supergraph.response` configurado en su `router.yaml` y tambi\u00e9n admitir `@defer` o Suscripciones. La versi\u00f3n 1.33.0 de Apollo Router tiene una soluci\u00f3n para esta vulnerabilidad que se introdujo en el PR #4014. Se recomienda a los usuarios que actualicen. Los usuarios que no puedan actualizar deben evitar el uso de la respuesta supergraph del coprocesador o desactivar el soporte de aplazamiento y suscripciones y continuar usando la respuesta supergraph del coprocesador."
}
],
"id": "CVE-2023-45812",
"lastModified": "2024-11-21T08:27:24.350",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-10-18T22:15:09.403",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/apollographql/router/pull/4014"
},
{
"source": "security-advisories@github.com",
"tags": [
"Mitigation",
"Vendor Advisory"
],
"url": "https://github.com/apollographql/router/security/advisories/GHSA-r344-xw3p-2frj"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/apollographql/router/pull/4014"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mitigation",
"Vendor Advisory"
],
"url": "https://github.com/apollographql/router/security/advisories/GHSA-r344-xw3p-2frj"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-754"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-754"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-08-27 18:15
Modified
2024-09-12 21:33
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
Apollo Federation is an architecture for declaratively composing APIs into a unified graph. Each team can own their slice of the graph independently, empowering them to deliver autonomously and incrementally. Instances of @apollo/query-planner >=2.0.0 and <2.8.5 are impacted by a denial-of-service vulnerability. @apollo/gateway versions >=2.0.0 and < 2.8.5 and Apollo Router <1.52.1 are also impacted through their use of @apollo/query-panner. If @apollo/query-planner is asked to plan a sufficiently complex query, it may loop infinitely and never complete. This results in unbounded memory consumption and either a crash or out-of-memory (OOM) termination. This issue can be triggered if you have at least one non-@key field that can be resolved by multiple subgraphs. To identify these shared fields, the schema for each subgraph must be reviewed. The mechanism to identify shared fields varies based on the version of Federation your subgraphs are using. You can check if your subgraphs are using Federation 1 or Federation 2 by reviewing their schemas. Federation 2 subgraph schemas will contain a @link directive referencing the version of Federation being used while Federation 1 subgraphs will not. For example, in a Federation 2 subgraph, you will find a line like @link(url: "https://specs.apollo.dev/federation/v2.0"). If a similar @link directive is not present in your subgraph schema, it is using Federation 1. Note that a supergraph can contain a mix of Federation 1 and Federation 2 subgraphs. This issue results from the Apollo query planner attempting to use a Number exceeding Javascript’s Number.MAX_VALUE in some cases. In Javascript, Number.MAX_VALUE is (2^1024 - 2^971). When the query planner receives an inbound graphql request, it breaks the query into pieces and for each piece, generates a list of potential execution steps to solve the piece. These candidates represent the steps that the query planner will take to satisfy the pieces of the larger query. As part of normal operations, the query planner requires and calculates the number of possible query plans for the total query. That is, it needs the product of the number of query plan candidates for each piece of the query. Under normal circumstances, after generating all query plan candidates and calculating the number of all permutations, the query planner moves on to stack rank candidates and prune less-than-optimal options. In particularly complex queries, especially those where fields can be solved through multiple subgraphs, this can cause the number of all query plan permutations to balloon. In worst-case scenarios, this can end up being a number larger than Number.MAX_VALUE. In Javascript, if Number.MAX_VALUE is exceeded, Javascript represents the value as “infinity”. If the count of candidates is evaluated as infinity, the component of the query planner responsible for pruning less-than-optimal query plans does not actually prune candidates, causing the query planner to evaluate many orders of magnitude more query plan candidates than necessary. This issue has been addressed in @apollo/query-planner v2.8.5, @apollo/gateway v2.8.5, and Apollo Router v1.52.1. Users are advised to upgrade. This issue can be avoided by ensuring there are no fields resolvable from multiple subgraphs. If all subgraphs are using Federation 2, you can confirm that you are not impacted by ensuring that none of your subgraph schemas use the @shareable directive. If you are using Federation 1 subgraphs, you will need to validate that there are no fields resolvable by multiple subgraphs.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| apollographql | apollo-router | * | |
| apollographql | apollo_gateway | * | |
| apollographql | apollo_helms-charts_router | * | |
| apollographql | apollo_query-planner | * | |
| apollographql | apollo_router | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apollographql:apollo-router:*:*:*:*:*:rust:*:*",
"matchCriteriaId": "DC2E3CE8-4AA1-4201-9D25-747129D12CF6",
"versionEndExcluding": "1.52.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apollographql:apollo_gateway:*:*:*:*:*:node.js:*:*",
"matchCriteriaId": "34C12E9C-CB82-4258-BE8D-A33ACCB4DF16",
"versionEndExcluding": "2.8.5",
"versionStartIncluding": "2.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apollographql:apollo_helms-charts_router:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5E734618-8E22-4FE6-B19D-FBE43CE5751F",
"versionEndExcluding": "1.52.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apollographql:apollo_query-planner:*:*:*:*:*:node.js:*:*",
"matchCriteriaId": "A0231E1E-F9F9-4C81-9161-16443D79280A",
"versionEndExcluding": "2.8.5",
"versionStartIncluding": "2.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apollographql:apollo_router:*:*:*:*:*:*:*:*",
"matchCriteriaId": "78F8E1F6-79E4-4B0B-A03B-EAC1D8898187",
"versionEndExcluding": "1.52.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Apollo Federation is an architecture for declaratively composing APIs into a unified graph. Each team can own their slice of the graph independently, empowering them to deliver autonomously and incrementally. Instances of @apollo/query-planner \u003e=2.0.0 and \u003c2.8.5 are impacted by a denial-of-service vulnerability. @apollo/gateway versions \u003e=2.0.0 and \u003c 2.8.5 and Apollo Router \u003c1.52.1 are also impacted through their use of @apollo/query-panner. If @apollo/query-planner is asked to plan a sufficiently complex query, it may loop infinitely and never complete. This results in unbounded memory consumption and either a crash or out-of-memory (OOM) termination. This issue can be triggered if you have at least one non-@key field that can be resolved by multiple subgraphs. To identify these shared fields, the schema for each subgraph must be reviewed. The mechanism to identify shared fields varies based on the version of Federation your subgraphs are using. You can check if your subgraphs are using Federation 1 or Federation 2 by reviewing their schemas. Federation 2 subgraph schemas will contain a @link directive referencing the version of Federation being used while Federation 1 subgraphs will not. For example, in a Federation 2 subgraph, you will find a line like @link(url: \"https://specs.apollo.dev/federation/v2.0\"). If a similar @link directive is not present in your subgraph schema, it is using Federation 1. Note that a supergraph can contain a mix of Federation 1 and Federation 2 subgraphs. This issue results from the Apollo query planner attempting to use a Number exceeding Javascript\u2019s Number.MAX_VALUE in some cases. In Javascript, Number.MAX_VALUE is (2^1024 - 2^971). When the query planner receives an inbound graphql request, it breaks the query into pieces and for each piece, generates a list of potential execution steps to solve the piece. These candidates represent the steps that the query planner will take to satisfy the pieces of the larger query. As part of normal operations, the query planner requires and calculates the number of possible query plans for the total query. That is, it needs the product of the number of query plan candidates for each piece of the query. Under normal circumstances, after generating all query plan candidates and calculating the number of all permutations, the query planner moves on to stack rank candidates and prune less-than-optimal options. In particularly complex queries, especially those where fields can be solved through multiple subgraphs, this can cause the number of all query plan permutations to balloon. In worst-case scenarios, this can end up being a number larger than Number.MAX_VALUE. In Javascript, if Number.MAX_VALUE is exceeded, Javascript represents the value as \u201cinfinity\u201d. If the count of candidates is evaluated as infinity, the component of the query planner responsible for pruning less-than-optimal query plans does not actually prune candidates, causing the query planner to evaluate many orders of magnitude more query plan candidates than necessary. This issue has been addressed in @apollo/query-planner v2.8.5, @apollo/gateway v2.8.5, and Apollo Router v1.52.1. Users are advised to upgrade. This issue can be avoided by ensuring there are no fields resolvable from multiple subgraphs. If all subgraphs are using Federation 2, you can confirm that you are not impacted by ensuring that none of your subgraph schemas use the @shareable directive. If you are using Federation 1 subgraphs, you will need to validate that there are no fields resolvable by multiple subgraphs."
},
{
"lang": "es",
"value": "Apollo Federation es una arquitectura para componer API de forma declarativa en un gr\u00e1fico unificado. Cada equipo puede ser due\u00f1o de su porci\u00f3n del gr\u00e1fico de forma independiente, lo que les permite realizar entregas de forma aut\u00f3noma e incremental. Las instancias de @apollo/query-planner \u0026gt;=2.0.0 y \u0026lt;2.8.5 se ven afectadas por una vulnerabilidad de denegaci\u00f3n de servicio. Las versiones de @apollo/gateway \u0026gt;=2.0.0 y \u0026lt;2.8.5 y Apollo Router \u0026lt;1.52.1 tambi\u00e9n se ven afectadas por el uso de @apollo/query-panner. Si se le pide a @apollo/query-planner que planifique una consulta suficientemente compleja, es posible que se repita infinitamente y nunca se complete. Esto da como resultado un consumo de memoria ilimitado y una falla o terminaci\u00f3n por falta de memoria (OOM). Este problema puede desencadenarse si tiene al menos un campo que no sea @key y que pueda resolverse mediante varios subgrafos. Para identificar estos campos compartidos, se debe revisar el esquema de cada subgrafo. El mecanismo para identificar campos compartidos var\u00eda seg\u00fan la versi\u00f3n de Federaci\u00f3n que est\u00e9n utilizando sus subgrafos. Puede comprobar si sus subgrafos utilizan la Federaci\u00f3n 1 o la Federaci\u00f3n 2 revisando sus esquemas. Los esquemas de subgrafos de Federaci\u00f3n 2 contendr\u00e1n una directiva @link que hace referencia a la versi\u00f3n de Federaci\u00f3n que se utiliza, mientras que los subgrafos de Federaci\u00f3n 1 no. Por ejemplo, en un subgrafo de Federaci\u00f3n 2, encontrar\u00e1 una l\u00ednea como @link(url: \"https://specs.apollo.dev/federation/v2.0\"). Si una directiva @link similar no est\u00e1 presente en su esquema de subgrafo, est\u00e1 utilizando la Federaci\u00f3n 1. Tenga en cuenta que un supergrafo puede contener una combinaci\u00f3n de subgrafos de Federaci\u00f3n 1 y Federaci\u00f3n 2. Este problema se debe a que el planificador de consultas de Apollo intenta utilizar un n\u00famero que excede el n\u00famero de Javascript.MAX_VALUE en algunos casos. En Javascript, Number.MAX_VALUE es (2^1024 - 2^971). Cuando el planificador de consultas recibe una solicitud Graphql entrante, divide la consulta en partes y, para cada parte, genera una lista de posibles pasos de ejecuci\u00f3n para resolver la parte. Estos candidatos representan los pasos que seguir\u00e1 el planificador de consultas para satisfacer las partes de la consulta m\u00e1s grande. Como parte de las operaciones normales, el planificador de consultas requiere y calcula la cantidad de planes de consulta posibles para la consulta total. Es decir, necesita el producto del n\u00famero de candidatos al plan de consulta para cada parte de la consulta. En circunstancias normales, despu\u00e9s de generar todos los candidatos al plan de consulta y calcular el n\u00famero de todas las permutaciones, el planificador de consultas pasa a clasificar los candidatos y eliminar las opciones menos \u00f3ptimas. En consultas particularmente complejas, especialmente aquellas donde los campos se pueden resolver a trav\u00e9s de m\u00faltiples subgrafos, esto puede hacer que el n\u00famero de todas las permutaciones del plan de consulta aumente. En el peor de los casos, esto puede terminar siendo un n\u00famero mayor que Number.MAX_VALUE. En Javascript, si se excede Number.MAX_VALUE, Javascript representa el valor como \"infinito\". Si el recuento de candidatos se eval\u00faa como infinito, el componente del planificador de consultas responsable de eliminar los planes de consultas que no son \u00f3ptimos en realidad no elimina los candidatos, lo que hace que el planificador de consultas eval\u00fae muchos \u00f3rdenes de magnitud m\u00e1s candidatos a planes de consultas de los necesarios. Este problema se solucion\u00f3 en @apollo/query-planner v2.8.5, @apollo/gateway v2.8.5 y Apollo Router v1.52.1. Se recomienda a los usuarios que actualicen. Este problema se puede evitar asegur\u00e1ndose de que no haya campos que se puedan resolver en varios subgrafos. Si todos los subgrafos utilizan la Federaci\u00f3n 2, puede confirmar que no se ver\u00e1 afectado asegur\u00e1ndose de que ninguno de sus esquemas de subgrafos utilice la directiva @shareable. --- TRUNCADO ----"
}
],
"id": "CVE-2024-43414",
"lastModified": "2024-09-12T21:33:40.887",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-08-27T18:15:15.083",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Exploit"
],
"url": "https://github.com/apollographql/federation/security/advisories/GHSA-fmj9-77q8-g6c4"
},
{
"source": "security-advisories@github.com",
"tags": [
"Technical Description"
],
"url": "https://www.apollographql.com/docs/federation/query-plans"
},
{
"source": "security-advisories@github.com",
"tags": [
"Technical Description"
],
"url": "https://www.apollographql.com/docs/router/configuration/persisted-queries"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-674"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-674"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-08-27 18:15
Modified
2024-09-12 21:33
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
The Apollo Router Core is a configurable, high-performance graph router written in Rust to run a federated supergraph that uses Apollo Federation 2. Instances of the Apollo Router running versions >=1.21.0 and < 1.52.1 are impacted by a denial of service vulnerability if _all_ of the following are true: 1. The Apollo Router has been configured to support [External Coprocessing](https://www.apollographql.com/docs/router/customizations/coprocessor). 2. The Apollo Router has been configured to send request bodies to coprocessors. This is a non-default configuration and must be configured intentionally by administrators. Instances of the Apollo Router running versions >=1.7.0 and <1.52.1 are impacted by a denial-of-service vulnerability if all of the following are true: 1. Router has been configured to use a custom-developed Native Rust Plugin. 2. The plugin accesses Request.router_request in the RouterService layer. 3. You are accumulating the body from Request.router_request into memory. If using an impacted configuration, the Router will load entire HTTP request bodies into memory without respect to other HTTP request size-limiting configurations like limits.http_max_request_bytes. This can cause the Router to be out-of-memory (OOM) terminated if a sufficiently large request is sent to the Router. By default, the Router sets limits.http_max_request_bytes to 2 MB. If you have an impacted configuration as defined above, please upgrade to at least Apollo Router 1.52.1. If you cannot upgrade, you can mitigate the denial-of-service opportunity impacting External Coprocessors by setting the coprocessor.router.request.body configuration option to false. Please note that changing this configuration option will change the information sent to any coprocessors you have configured and may impact functionality implemented by those coprocessors. If you have developed a Native Rust Plugin and cannot upgrade, you can update your plugin to either not accumulate the request body or enforce a maximum body size limit. You can also mitigate this issue by limiting HTTP body payload sizes prior to the Router (e.g., in a proxy or web application firewall appliance).
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| apollographql | apollo-router | * | |
| apollographql | apollo_helms-charts_router | * | |
| apollographql | apollo_router | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apollographql:apollo-router:*:*:*:*:*:rust:*:*",
"matchCriteriaId": "B29EFF0B-104E-40C3-B57F-364E3A597BC6",
"versionEndExcluding": "1.52.1",
"versionStartIncluding": "1.7.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apollographql:apollo_helms-charts_router:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E422884F-DBC0-4D18-89A9-3BEE67AA14F5",
"versionEndExcluding": "1.52.1",
"versionStartIncluding": "1.7.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apollographql:apollo_router:*:*:*:*:*:*:*:*",
"matchCriteriaId": "239DF16D-B5D7-4830-9EAF-62A17112B12B",
"versionEndExcluding": "1.52.1",
"versionStartIncluding": "1.7.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Apollo Router Core is a configurable, high-performance graph router written in Rust to run a federated supergraph that uses Apollo Federation 2. Instances of the Apollo Router running versions \u003e=1.21.0 and \u003c 1.52.1 are impacted by a denial of service vulnerability if _all_ of the following are true: 1. The Apollo Router has been configured to support [External Coprocessing](https://www.apollographql.com/docs/router/customizations/coprocessor). 2. The Apollo Router has been configured to send request bodies to coprocessors. This is a non-default configuration and must be configured intentionally by administrators. Instances of the Apollo Router running versions \u003e=1.7.0 and \u003c1.52.1 are impacted by a denial-of-service vulnerability if all of the following are true: 1. Router has been configured to use a custom-developed Native Rust Plugin. 2. The plugin accesses Request.router_request in the RouterService layer. 3. You are accumulating the body from Request.router_request into memory. If using an impacted configuration, the Router will load entire HTTP request bodies into memory without respect to other HTTP request size-limiting configurations like limits.http_max_request_bytes. This can cause the Router to be out-of-memory (OOM) terminated if a sufficiently large request is sent to the Router. By default, the Router sets limits.http_max_request_bytes to 2 MB. If you have an impacted configuration as defined above, please upgrade to at least Apollo Router 1.52.1. If you cannot upgrade, you can mitigate the denial-of-service opportunity impacting External Coprocessors by setting the coprocessor.router.request.body configuration option to false. Please note that changing this configuration option will change the information sent to any coprocessors you have configured and may impact functionality implemented by those coprocessors. If you have developed a Native Rust Plugin and cannot upgrade, you can update your plugin to either not accumulate the request body or enforce a maximum body size limit. You can also mitigate this issue by limiting HTTP body payload sizes prior to the Router (e.g., in a proxy or web application firewall appliance)."
},
{
"lang": "es",
"value": "Apollo Router Core es un enrutador de gr\u00e1ficos configurable y de alto rendimiento escrito en Rust para ejecutar un supergrafo federado que utiliza Apollo Federation 2. Las instancias del enrutador Apollo que ejecutan versiones \u0026gt;=1.21.0 y \u0026lt;1.52.1 se ven afectadas por una denegaci\u00f3n de vulnerabilidad del servicio si _todo_ lo siguiente es verdadero: 1. El enrutador Apollo se ha configurado para admitir [coprocesamiento externo] (https://www.apollographql.com/docs/router/customizations/coprocessor). 2. El enrutador Apollo se ha configurado para enviar cuerpos de solicitud a los coprocesadores. Esta es una configuraci\u00f3n no predeterminada y los administradores deben configurarla intencionalmente. Las instancias del enrutador Apollo que ejecutan las versiones \u0026gt;=1.7.0 y \u0026lt;1.52.1 se ven afectadas por una vulnerabilidad de denegaci\u00f3n de servicio si se cumple todo lo siguiente: 1. El enrutador se ha configurado para utilizar un complemento Native Rust desarrollado a medida. 2. El complemento accede a Request.router_request en la capa RouterService. 3. Est\u00e1s acumulando el cuerpo de Request.router_request en la memoria. Si utiliza una configuraci\u00f3n afectada, el enrutador cargar\u00e1 cuerpos completos de solicitudes HTTP en la memoria sin respetar otras configuraciones que limitan el tama\u00f1o de las solicitudes HTTP, como limites.http_max_request_bytes. Esto puede provocar que el enrutador finalice por falta de memoria (OOM) si se env\u00eda una solicitud suficientemente grande al enrutador. De forma predeterminada, el enrutador establece l\u00edmites.http_max_request_bytes en 2 MB. Si tiene una configuraci\u00f3n afectada como se define anteriormente, actualice al menos a Apollo Router 1.52.1. Si no puede actualizar, puede mitigar la oportunidad de denegaci\u00f3n de servicio que afecta a los coprocesadores externos configurando la opci\u00f3n de configuraci\u00f3n coprocessor.router.request.body en falso. Tenga en cuenta que cambiar esta opci\u00f3n de configuraci\u00f3n cambiar\u00e1 la informaci\u00f3n enviada a cualquier coprocesador que haya configurado y puede afectar la funcionalidad implementada por esos coprocesadores. Si ha desarrollado un complemento Native Rust y no puede actualizarlo, puede actualizar su complemento para no acumular el cuerpo de la solicitud o imponer un l\u00edmite m\u00e1ximo de tama\u00f1o del cuerpo. Tambi\u00e9n puede mitigar este problema limitando los tama\u00f1os de carga \u00fatil del cuerpo HTTP antes del enrutador (por ejemplo, en un proxy o dispositivo de firewall de aplicaciones web)."
}
],
"id": "CVE-2024-43783",
"lastModified": "2024-09-12T21:33:56.637",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-08-27T18:15:15.403",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/apollographql/router/commit/7a9c020608a62dcaa306b72ed0f6980f15923b14"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/apollographql/router/releases/tag/v1.52.1"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/apollographql/router/security/advisories/GHSA-x6xq-whh3-gg32"
},
{
"source": "security-advisories@github.com",
"tags": [
"Product"
],
"url": "https://www.apollographql.com/docs/router/configuration/overview/#request-limits"
},
{
"source": "security-advisories@github.com",
"tags": [
"Technical Description"
],
"url": "https://www.apollographql.com/docs/router/customizations/coprocessor"
},
{
"source": "security-advisories@github.com",
"tags": [
"Technical Description"
],
"url": "https://www.apollographql.com/docs/router/customizations/native"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-770"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-770"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}