Information Disclosure

apollo-server-fastify is vulnerable to information disclosure. The vulnerability exists as ApolloServer incorrectly drops the values of this.requestOptions.validationRules when creating a SubscriptionServer...

Information Disclosure

apollo-server-micro is vulnerable to information disclosure. The vulnerability exists as ApolloServer incorrectly drops the values of this.requestOptions.validationRules when creating a SubscriptionServer...

Information Disclosure

apollo-server-express is vulnerable to information disclosure. The vulnerability exists as ApolloServer incorrectly drops the values of this.requestOptions.validationRules when creating a SubscriptionServer...

Information Disclosure

apollo-server-core is vulnerable to information disclosure. The vulnerability exists as ApolloServer incorrectly drops the values of this.requestOptions.validationRules when creating a SubscriptionServer...

Information Disclosure

apollo-server is vulnerable to information disclosure. The vulnerability exists as ApolloServer incorrectly drops the values of this.requestOptions.validationRules when creating a SubscriptionServer...

Information Disclosure

apollo-server-koa is vulnerable to information disclosure. The vulnerability exists as ApolloServer incorrectly drops the values of this.requestOptions.validationRules when creating a SubscriptionServer...

Information Exposure

Overview Versions of apollo-server-lambda prior to 2.14.2 are vulnerable to Information Exposure. The package does not properly enforce validation rules when creating subscription servers, which includes a NoInstrospection rule for the Websocket. This leaks the GraphQL schema types, their relatio...

Information Exposure

Overview Versions of apollo-server-micro prior to 2.14.2 are vulnerable to Information Exposure. The package does not properly enforce validation rules when creating subscription servers, which includes a NoInstrospection rule for the Websocket. This leaks the GraphQL schema types, their relation...

Information Exposure

Overview Versions of apollo-server-koa prior to 2.14.2 are vulnerable to Information Exposure. The package does not properly enforce validation rules when creating subscription servers, which includes a NoInstrospection rule for the Websocket. This leaks the GraphQL schema types, their relations...

Information Exposure

Overview Versions of apollo-server-hapi prior to 2.14.2 are vulnerable to Information Exposure. The package does not properly enforce validation rules when creating subscription servers, which includes a NoInstrospection rule for the Websocket. This leaks the GraphQL schema types, their relations...

Information Exposure

Overview Versions of apollo-server-fastify prior to 2.14.2 are vulnerable to Information Exposure. The package does not properly enforce validation rules when creating subscription servers, which includes a NoInstrospection rule for the Websocket. This leaks the GraphQL schema types, their...

Information Exposure

Overview Versions of apollo-server-express prior to 2.14.2 are vulnerable to Information Exposure. The package does not properly enforce validation rules when creating subscription servers, which includes a NoInstrospection rule for the Websocket. This leaks the GraphQL schema types, their...

Information Exposure

Overview Versions of apollo-server-cloud-functions prior to 2.14.2 are vulnerable to Information Exposure. The package does not properly enforce validation rules when creating subscription servers, which includes a NoInstrospection rule for the Websocket. This leaks the GraphQL schema types, thei...

Information Exposure

Overview Versions of apollo-server-cache-memcached prior to 2.14.2 are vulnerable to Information Exposure. The package does not properly enforce validation rules when creating subscription servers, which includes a NoInstrospection rule for the Websocket. This leaks the GraphQL schema types, thei...

Information Exposure

Overview Versions of apollo-server-azure-functions prior to 2.14.2 are vulnerable to Information Exposure. The package does not properly enforce validation rules when creating subscription servers, which includes a NoInstrospection rule for the Websocket. This leaks the GraphQL schema types, thei...

Information Exposure

Overview Versions of apollo-server prior to 2.14.2 are vulnerable to Information Exposure. The package does not properly enforce validation rules when creating subscription servers, which includes a NoInstrospection rule for the Websocket. This leaks the GraphQL schema types, their relations and...

@aerogear/voyager-metrics (>=0.7.2-dev.409.01ecc9f.0 <=0.7.2-dev.411.7aaa5a6.0), @aerogear/voyager-server (>=0.7.2-dev.409.01ecc9f.0 <=0.9.1-dev.430.0433c35.0) +41 more potentially affected by unknown CVE via apollo-server (>=0.1.5 <=2.14.1)

apollo-server NPM version =0.1.5, =0.7.2-dev.409.01ecc9f.0, =0.7.2-dev.409.01ecc9f.0, =2018.8.28-0, =1.0.0, =0.10.0, =0.0.9, =0.0.11, =2.0.0-rc.15, =0.0.0, =1.3.1, =4.0.0-alpha-0b0eefe.499, =4.0.1-beta.6 and more Source cves: unknown CVE Source advisory: OSV:GHSA-W42G-7VFC-XF37...

codelift (>=1.0.1 <=1.0.15-canary.394.652cc97.0), graphql-server-micro (>=1.0.2 <=1.4.1) +8 more potentially affected by unknown CVE via apollo-server-micro (>=1.4.0 <=2.14.1)

apollo-server-micro NPM version =1.4.0, =1.0.1, =1.0.2, =1.0.0, =1.0.0, =2.0.0, =1.5.8, =0.1.0, =0.1.0, =1.0.0-rc.3, =1.0.0-rc.5 Source cves: unknown CVE Source advisory: OSV:GHSA-W42G-7VFC-XF37...

@axelspringer/mango-api (>=0.0.1-alpha <=1.0.0-beta.75), @carlosbajo/graphql-gateway (>=1.2.0 <=2.3.6) +39 more potentially affected by unknown CVE via apollo-server-koa (>=1.3.6 <=2.0.4)

apollo-server-koa NPM version =1.3.6, =0.0.1-alpha, =1.2.0, =2.8.1, =0.2.1, =0.2.6, =0.1.2, =6.1.0, =1.0.1, =0.0.9, =0.0.1, =1.0.3, =1.0.0, =2.8.1, =1.0.0, =1.4.56 and more Source cves: unknown CVE Source advisory: OSV:GHSA-W42G-7VFC-XF37...

GHSA-W42G-7VFC-XF37 Introspection in schema validation in Apollo Server

We encourage all users of Apollo Server to read this advisory in its entirety to understand the impact. The Resolution section contains details on patched versions. Impact If subscriptions: false is passed to the ApolloServer constructor options, there is no impact. If implementors were not...