Vulnerabilities > CVE-2023-45812 - Improper Check for Unusual or Exceptional Conditions vulnerability in Apollographql Apollo Helms-Charts Router and Apollo Router

CVSS 7.5 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

NONE

Integrity impact

NONE

Availability impact

HIGH

network

low complexity

apollographql

CWE-754

NVD

Published: 2023-10-18

Updated: 2023-10-30

Summary

The Apollo Router is a configurable, high-performance graph router written in Rust to run a federated supergraph that uses Apollo Federation. Affected versions are subject to a Denial-of-Service (DoS) type vulnerability which causes the Router to panic and terminate when a multi-part response is sent. When users send queries to the router that uses the `@defer` or Subscriptions, the Router will panic. To be vulnerable, users of Router must have a coprocessor with `coprocessor.supergraph.response` configured in their `router.yaml` and also to support either `@defer` or Subscriptions. Apollo Router version 1.33.0 has a fix for this vulnerability which was introduced in PR #4014. Users are advised to upgrade. Users unable to upgrade should avoid using the coprocessor supergraph response or disable defer and subscriptions support and continue to use the coprocessor supergraph response.

Vulnerable Configurations

Part	Description	Count
Application	Apollographql Apollographql Apollo Router 1.31.0 Apollographql Apollo Router 1.32.0 Apollographql Apollo Helms Charts Router 1.31.0 Apollographql Apollo Helms Charts Router 1.32.0	4

Common Weakness Enumeration (CWE)

CWE-754 - Improper Check for Unusual or Exceptional Conditions

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

References