CVE-2023-45812 — HIGH (7.5)

Q: How severe is CVE-2023-45812?

CVE-2023-45812 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2023-45812?

Check the references section above for vendor advisories and patch information. Affected products include: Apollographql Apollo Router, Apollographql Apollo Helms-Charts Router.

Vulnerability Description

The Apollo Router is a configurable, high-performance graph router written in Rust to run a federated supergraph that uses Apollo Federation. Affected versions are subject to a Denial-of-Service (DoS) type vulnerability which causes the Router to panic and terminate when a multi-part response is sent. When users send queries to the router that uses the `@defer` or Subscriptions, the Router will panic. To be vulnerable, users of Router must have a coprocessor with `coprocessor.supergraph.response` configured in their `router.yaml` and also to support either `@defer` or Subscriptions. Apollo Router version 1.33.0 has a fix for this vulnerability which was introduced in PR #4014. Users are advised to upgrade. Users unable to upgrade should avoid using the coprocessor supergraph response or disable defer and subscriptions support and continue to use the coprocessor supergraph response.

CVSS Score

7.5

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

NONE

Availability

HIGH

Affected Products

Vendor	Product	Versions
Apollographql	Apollo Router	>= 1.31.0, <= 1.32.0
Apollographql	Apollo Helms-Charts Router	>= 1.31.0, <= 1.32.0

Related Weaknesses (CWE)

CWE-754

References

https://github.com/apollographql/router/pull/4014Patch
https://github.com/apollographql/router/security/advisories/GHSA-r344-xw3p-2frjMitigationVendor Advisory
https://github.com/apollographql/router/pull/4014Patch
https://github.com/apollographql/router/security/advisories/GHSA-r344-xw3p-2frjMitigationVendor Advisory

FAQ

What is CVE-2023-45812?

CVE-2023-45812 is a vulnerability with a CVSS score of 7.5 (HIGH). The Apollo Router is a configurable, high-performance graph router written in Rust to run a federated supergraph that uses Apollo Federation. Affected versions are subject to a Denial-of-Service (DoS)...

How severe is CVE-2023-45812?

CVE-2023-45812 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2023-45812?

Check the references section above for vendor advisories and patch information. Affected products include: Apollographql Apollo Router, Apollographql Apollo Helms-Charts Router.