Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2023-45812

Good to know:

icon

Date: October 18, 2023

The Apollo Router is a configurable, high-performance graph router written in Rust to run a federated supergraph that uses Apollo Federation. Affected versions are subject to a Denial-of-Service (DoS) type vulnerability which causes the Router to panic and terminate when a multi-part response is sent. When users send queries to the router that uses the `@defer` or Subscriptions, the Router will panic. To be vulnerable, users of Router must have a coprocessor with `coprocessor.supergraph.response` configured in their `router.yaml` and also to support either `@defer` or Subscriptions. Apollo Router version 1.33.0 has a fix for this vulnerability which was introduced in PR #4014. Users are advised to upgrade. Users unable to upgrade should avoid using the coprocessor supergraph response or disable defer and subscriptions support and continue to use the coprocessor supergraph response.

Language: RUST

Severity Score

Related Resources (4)

https://github.com/apollographql/router/pull/4014
https://nvd.nist.gov/vuln/detail/CVE-2023-45812
https://github.com/apollographql/router/security/advisories/GHSA-r344-xw3p-2frj
https://www.mend.io/vulnerability-database/CVE-2023-45812

Severity Score

Weakness Type (CWE)

Improper Check for Unusual or Exceptional Conditions

CWE-754

Top Fix

icon

Upgrade Version

Upgrade to version apollo-router - 1.33.0

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): NONE
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality (C): NONE
Integrity (I): NONE
Availability (A): HIGH

Do you need more information?

Contact Us