CVE-2023-45812

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2023-45812
The Apollo Router is a configurable, high-performance graph router written in Rust to run a federated supergraph that uses Apollo Federation. Affected versions are subject to a Denial-of-Service (DoS) type vulnerability which causes the Router to panic and terminate when a multi-part response is sent. When users send queries to the router that uses the `@defer` or Subscriptions, the Router will panic. To be vulnerable, users of Router must have a coprocessor with `coprocessor.supergraph.response` configured in their `router.yaml` and also to support either `@defer` or Subscriptions. Apollo Router version 1.33.0 has a fix for this vulnerability which was introduced in PR #4014. Users are advised to upgrade. Users unable to upgrade should avoid using the coprocessor supergraph response or disable defer and subscriptions support and continue to use the coprocessor supergraph response.

7.5 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://github.com/apollographql/router/pull/4014 Patch
https://github.com/apollographql/router/security/advisories/GHSA-r344-xw3p-2frj Mitigation Vendor Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:apollographql:apollo_router:*:*:*:*:*:*:*:*

Configuration 2 (hide)

cpe:2.3:a:apollographql:apollo_helms-charts_router:*:*:*:*:*:*:*:*
History

30 Oct 2023, 14:55

Type Values Removed Values Added
First Time Apollographql
Apollographql apollo Helms-charts Router
Apollographql apollo Router
CWE CWE-754
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 7.5
CPE cpe:2.3:a:apollographql:apollo_helms-charts_router:*:*:*:*:*:*:*:*
cpe:2.3:a:apollographql:apollo_router:*:*:*:*:*:*:*:*
References (MISC) https://github.com/apollographql/router/security/advisories/GHSA-r344-xw3p-2frj - (MISC) https://github.com/apollographql/router/security/advisories/GHSA-r344-xw3p-2frj - Mitigation, Vendor Advisory
References (MISC) https://github.com/apollographql/router/pull/4014 - (MISC) https://github.com/apollographql/router/pull/4014 - Patch

18 Oct 2023, 22:15

Type Values Removed Values Added
New CVE
Information

Published : 2023-10-18 22:15

Updated : 2024-02-28 20:33

NVD link : CVE-2023-45812

Mitre link : CVE-2023-45812

CVE.ORG link : CVE-2023-45812

JSON object : View

Products Affected

apollographql

  • apollo_router
  • apollo_helms-charts_router
CWE
CWE-754

Improper Check for Unusual or Exceptional Conditions


NetmanageIT Website NetmanageIT OSINT Web NetmanageIT OpenCTI NetmanageIT PDF Tools NetmanageIT CTO Corner Blog NetmanageIT Email Header Analyzer NetmanageIT Password Pusher NetmanageIT Internet Health and Latency Dashboard NetmanageIT Dedicated Speed Test Site NetmanageIT Ubuntu Mirror 10Gbps Copyright OpenCVE 2024