Описание
Apollo Router vulnerable to Improper Check or Handling of Exceptional Conditions
Impact
The Apollo Router is a configurable, high-performance graph router written in Rust to run a federated supergraph that uses Apollo Federation. Affected versions are subject to a Denial-of-Service (DoS) type vulnerability which causes the Router to panic and terminate when a multi-part response is sent. When users send queries to the router that uses the @defer or Subscriptions, the Router will panic.
To be vulnerable, users of Router must have a coprocessor with coprocessor.supergraph.response configured in their router.yaml and also to support either @defer or Subscriptions.
Patches
Router version 1.33.0 has a fix for this vulnerability. https://github.com/apollographql/router/pull/4014 fixes the issue.
Workarounds
For affected versions, avoid using the coprocessor supergraph response:
Or you can disable defer and subscriptions support:
and continue to use the coprocessor supergraph response.
References
Ссылки
- https://github.com/apollographql/router/security/advisories/GHSA-r344-xw3p-2frj
- https://nvd.nist.gov/vuln/detail/CVE-2023-45812
- https://github.com/apollographql/router/issues/4013
- https://github.com/apollographql/router/pull/4014
- https://github.com/apollographql/router/commit/b917b8c117b46a2d508428c0856f4927dfcfc341
Пакеты
apollo-router
>= 1.31.0, < 1.33.0
1.33.0
Связанные уязвимости
The Apollo Router is a configurable, high-performance graph router written in Rust to run a federated supergraph that uses Apollo Federation. Affected versions are subject to a Denial-of-Service (DoS) type vulnerability which causes the Router to panic and terminate when a multi-part response is sent. When users send queries to the router that uses the `@defer` or Subscriptions, the Router will panic. To be vulnerable, users of Router must have a coprocessor with `coprocessor.supergraph.response` configured in their `router.yaml` and also to support either `@defer` or Subscriptions. Apollo Router version 1.33.0 has a fix for this vulnerability which was introduced in PR #4014. Users are advised to upgrade. Users unable to upgrade should avoid using the coprocessor supergraph response or disable defer and subscriptions support and continue to use the coprocessor supergraph response.