CVE-2023-45812 – apollo-router

Package

Manager: cargo
Name: apollo-router
Vulnerable Version: >=1.31.0 <1.33.0

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00313 pctl0.53893

Details

Apollo Router vulnerable to Improper Check or Handling of Exceptional Conditions ### Impact The Apollo Router is a configurable, high-performance graph router written in Rust to run a federated supergraph that uses Apollo Federation. Affected versions are subject to a Denial-of-Service (DoS) type vulnerability which causes the Router to panic and terminate when a multi-part response is sent. When users send queries to the router that uses the `@defer` or Subscriptions, the Router will panic. To be vulnerable, users of Router must have a coprocessor with `coprocessor.supergraph.response` configured in their `router.yaml` and also to support either `@defer` or Subscriptions. ### Patches Router version 1.33.0 has a fix for this vulnerability. https://github.com/apollographql/router/pull/4014 fixes the issue. ### Workarounds For affected versions, avoid using the coprocessor supergraph response: ```yml # do not use this stage in your coprocessor configuration coprocessor: supergraph: response: ``` Or you can disable defer and subscriptions support: ```yml # disable defer and subscriptions: supergraph: defer_support: false # enabled by default subscription: enabled: false # disabled by default ``` and continue to use the coprocessor supergraph response. ### References https://github.com/apollographql/router/issues/4013

Metadata

Created: 2023-10-19T16:08:10Z
Modified: 2023-10-19T16:08:10Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-r344-xw3p-2frj/GHSA-r344-xw3p-2frj.json
CWE IDs: ["CWE-703", "CWE-754"]
Alternative ID: GHSA-r344-xw3p-2frj
Finding: F002
Auto approve: 1