GHSA-74cr-77xc-8g6r

Опубликовано: 13 июн. 2019

Источник: github

Github: Прошло ревью

CVSS3: 7.3

Описание

Prototype Pollution in @apollo/gateway

Versions of @apollo/gateway prior to 0.6.2 are vulnerable to Prototype Pollution. The package uses deepMerge() to merge objects, which may allow attackers to alter the Object prototype through queries with GraphQL aliases. Carefully constructed payloads can override properties of all objects in the application. This may lead to Denial of Service or may be chained with other vulnerabilities leading to Remote Code Execution.

Recommendation

Upgrade to version 0.6.2 or later.

Ссылки

https://github.com/apollographql/apollo-server/pull/2779
https://github.com/apollographql/apollo-server/commit/cea7397582a293af6a5f60947da34b95e669c6c1
https://snyk.io/vuln/SNYK-JS-APOLLOGATEWAY-174915
https://www.npmjs.com/advisories/917

Пакеты

Наименование

@apollo/gateway

npm

Затронутые версииВерсия исправления

< 0.6.2

0.6.2

7.3 High

CVSS3

Дефекты

CWE-1321

CWE-400

7.3 High

CVSS3

Дефекты

CWE-1321

CWE-400