CVE-2023-45812

The Apollo Router is a configurable, high-performance graph router written in Rust to run a federated supergraph that uses Apollo Federation. Affected versions are subject to a Denial-of-Service (DoS) type vulnerability which causes the Router to panic and terminate when a multi-part response is sent. When users send queries to the router that uses the `@defer` or Subscriptions, the Router will panic. To be vulnerable, users of Router must have a coprocessor with `coprocessor.supergraph.response` configured in their `router.yaml` and also to support either `@defer` or Subscriptions. Apollo Router version 1.33.0 has a fix for this vulnerability which was introduced in PR #4014. Users are advised to upgrade. Users unable to upgrade should avoid using the coprocessor supergraph response or disable defer and subscriptions support and continue to use the coprocessor supergraph response.
Configurations

Configuration 1 (hide)

cpe:2.3:a:apollographql:apollo_router:*:*:*:*:*:*:*:*

Configuration 2 (hide)

cpe:2.3:a:apollographql:apollo_helms-charts_router:*:*:*:*:*:*:*:*

History

30 Oct 2023, 14:55

Type Values Removed Values Added
First Time Apollographql
Apollographql apollo Helms-charts Router
Apollographql apollo Router
CWE CWE-754
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 7.5
CPE cpe:2.3:a:apollographql:apollo_helms-charts_router:*:*:*:*:*:*:*:*
cpe:2.3:a:apollographql:apollo_router:*:*:*:*:*:*:*:*
References (MISC) https://github.com/apollographql/router/security/advisories/GHSA-r344-xw3p-2frj - (MISC) https://github.com/apollographql/router/security/advisories/GHSA-r344-xw3p-2frj - Mitigation, Vendor Advisory
References (MISC) https://github.com/apollographql/router/pull/4014 - (MISC) https://github.com/apollographql/router/pull/4014 - Patch

18 Oct 2023, 22:15

Type Values Removed Values Added
New CVE

Information

Published : 2023-10-18 22:15

Updated : 2024-02-28 20:33


NVD link : CVE-2023-45812

Mitre link : CVE-2023-45812

CVE.ORG link : CVE-2023-45812


JSON object : View

Products Affected

apollographql

  • apollo_router
  • apollo_helms-charts_router
CWE
CWE-754

Improper Check for Unusual or Exceptional Conditions