CVE-2023-40180

silverstripe-graphql is a package which serves Silverstripe data in GraphQL representations. An attacker could use a recursive graphql query to execute a Distributed Denial of Service attack (DDOS attack) against a website. This mostly affects websites with publicly exposed graphql schemas. If your Silverstripe CMS project does not expose a public facing graphql schema, a user account is required to trigger the DDOS attack. If your site is hosted behind a content delivery network (CDN), such as Imperva or CloudFlare, this may further mitigate the risk. This issue has been addressed in versions 3.8.2, 4.1.3, 4.2.5, 4.3.4, and 5.0.3. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:silverstripe:graphql:*:*:*:*:*:*:*:*
cpe:2.3:a:silverstripe:graphql:*:*:*:*:*:*:*:*
cpe:2.3:a:silverstripe:graphql:*:*:*:*:*:*:*:*
cpe:2.3:a:silverstripe:graphql:*:*:*:*:*:*:*:*
cpe:2.3:a:silverstripe:graphql:*:*:*:*:*:*:*:*

History

23 Oct 2023, 14:21

Type Values Removed Values Added
References (MISC) https://github.com/silverstripe/silverstripe-graphql/commit/f6d5976ec4608e51184b0db1ee5b9e9a99d2501c - (MISC) https://github.com/silverstripe/silverstripe-graphql/commit/f6d5976ec4608e51184b0db1ee5b9e9a99d2501c - Patch
References (MISC) https://github.com/silverstripe/silverstripe-graphql/tree/3.8#recursive-or-complex-queries - (MISC) https://github.com/silverstripe/silverstripe-graphql/tree/3.8#recursive-or-complex-queries - Third Party Advisory
References (MISC) https://docs.silverstripe.org/en/developer_guides/graphql/security_and_best_practices/recursive_or_complex_queries - (MISC) https://docs.silverstripe.org/en/developer_guides/graphql/security_and_best_practices/recursive_or_complex_queries - Mitigation
References (MISC) https://github.com/silverstripe/silverstripe-graphql/security/advisories/GHSA-v23w-pppm-jh66 - (MISC) https://github.com/silverstripe/silverstripe-graphql/security/advisories/GHSA-v23w-pppm-jh66 - Third Party Advisory
References (MISC) https://www.silverstripe.org/download/security-releases/CVE-2023-40180 - (MISC) https://www.silverstripe.org/download/security-releases/CVE-2023-40180 - Vendor Advisory
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 7.5
First Time Silverstripe
Silverstripe graphql
CPE cpe:2.3:a:silverstripe:graphql:*:*:*:*:*:*:*:*

16 Oct 2023, 19:24

Type Values Removed Values Added
New CVE

Information

Published : 2023-10-16 19:15

Updated : 2024-02-28 20:33


NVD link : CVE-2023-40180

Mitre link : CVE-2023-40180

CVE.ORG link : CVE-2023-40180


JSON object : View

Products Affected

silverstripe

  • graphql
CWE
CWE-400

Uncontrolled Resource Consumption