CVE-2023-28104

Опубликовано: 16 мар. 2023

Источник: nvd

CVSS3: 7.5

EPSS Низкий

Описание

silverstripe/graphql serves Silverstripe data as GraphQL representations. In versions 4.2.2 and 4.1.1, an attacker could use a specially crafted graphql query to execute a denial of service attack against a website which has a publicly exposed graphql endpoint. This mostly affects websites with particularly large/complex graphql schemas. Users should upgrade to silverstripe/graphql 4.2.3 or 4.1.2 to remedy the vulnerability.

Ссылки

https://github.com/silverstripe/silverstripe-graphql/pull/526
Patch
https://github.com/silverstripe/silverstripe-graphql/releases/tag/4.1.2
Patch
Release Notes
https://github.com/silverstripe/silverstripe-graphql/releases/tag/4.2.3
Patch
Release Notes
https://github.com/silverstripe/silverstripe-graphql/security/advisories/GHSA-67g8-c724-8mp3
Vendor Advisory
https://github.com/silverstripe/silverstripe-graphql/pull/526
Patch
https://github.com/silverstripe/silverstripe-graphql/releases/tag/4.1.2
Patch
Release Notes
https://github.com/silverstripe/silverstripe-graphql/releases/tag/4.2.3
Patch
Release Notes
https://github.com/silverstripe/silverstripe-graphql/security/advisories/GHSA-67g8-c724-8mp3
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:silverstripe:graphql:4.1.1:*:*:*:*:*:*:*

cpe:2.3:a:silverstripe:graphql:4.2.2:*:*:*:*:*:*:*

EPSS

Процентиль: 70%

0.00638

Низкий

7.5 High

CVSS3

Дефекты

CWE-770

Связанные уязвимости

GHSA-67g8-c724-8mp3