silverstripe/graphql Denial of Service vulnerability
CVE-2023-28104

7.5HIGH

Key Information:

Vendor

Silverstripe

Status
Silverstripe-graphql
Vendor
CVE Published:
16 March 2023

What is CVE-2023-28104?

The silverstripe/graphql service allows the representation of Silverstripe data through GraphQL. Certain versions (4.2.2 and 4.1.1) are vulnerable to denial of service attacks due to a flaw that permits an attacker to exploit a carefully crafted GraphQL query. This vulnerability is particularly severe for websites using large or complex GraphQL schemas, where the attack can lead to significant disruption in service availability. It is crucial for users to update to version 4.2.3 or 4.1.2 to mitigate this issue and enhance their site's security.

Affected Version(s)

silverstripe-graphql = 4.1.1 = 4.1.1

silverstripe-graphql = 4.2.2 = 4.2.2

References

https://github.com/silverstripe/silverstripe-graphql/secu...
x_refsource_CONFIRM
https://github.com/silverstripe/silverstripe-graphql/pull...
x_refsource_MISC
https://github.com/silverstripe/silverstripe-graphql/rele...
x_refsource_MISC

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.