Vulnerability Description
`silverstripe/graphql` serves Silverstripe data as GraphQL representations. In versions 4.2.2 and 4.1.1, an attacker could use a specially crafted graphql query to execute a denial of service attack against a website which has a publicly exposed graphql endpoint. This mostly affects websites with particularly large/complex graphql schemas. Users should upgrade to `silverstripe/graphql` 4.2.3 or 4.1.2 to remedy the vulnerability.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Silverstripe | Graphql | 4.1.1 |
Related Weaknesses (CWE)
References
- https://github.com/silverstripe/silverstripe-graphql/pull/526Patch
- https://github.com/silverstripe/silverstripe-graphql/releases/tag/4.1.2PatchRelease Notes
- https://github.com/silverstripe/silverstripe-graphql/releases/tag/4.2.3PatchRelease Notes
- https://github.com/silverstripe/silverstripe-graphql/security/advisories/GHSA-67Vendor Advisory
- https://github.com/silverstripe/silverstripe-graphql/pull/526Patch
- https://github.com/silverstripe/silverstripe-graphql/releases/tag/4.1.2PatchRelease Notes
- https://github.com/silverstripe/silverstripe-graphql/releases/tag/4.2.3PatchRelease Notes
- https://github.com/silverstripe/silverstripe-graphql/security/advisories/GHSA-67Vendor Advisory
FAQ
What is CVE-2023-28104?
CVE-2023-28104 is a vulnerability with a CVSS score of 7.5 (HIGH). `silverstripe/graphql` serves Silverstripe data as GraphQL representations. In versions 4.2.2 and 4.1.1, an attacker could use a specially crafted graphql query to execute a denial of service attack a...
How severe is CVE-2023-28104?
CVE-2023-28104 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-28104?
Check the references section above for vendor advisories and patch information. Affected products include: Silverstripe Graphql.