CVE-2023-41317 Unnamed "Subscription" operation results in Denial-of-Service in apollographql/router

The Apollo Router is a configurable, high-performance graph router written in Rust to run a federated supergraph that uses Apollo Federation 2. Affected versions are subject to a Denial-of-Service DoS type vulnerability which causes the Router to panic and terminate when GraphQL Subscriptions are...

PT-2023-27902 · Unknown · Apollo Router

Name of the Vulnerable Software and Affected Versions: Apollo Router versions 1.28.0 through 1.29.0 Description: The Apollo Router is subject to a Denial-of-Service DoS type vulnerability which causes the Router to panic and terminate when GraphQL Subscriptions are enabled. This can be triggered...

Apollo Router Security Vulnerability

Apollo Router is a configurable, high-performance graphical router written in Rust. A security vulnerability exists in Apollo Router that stems from enabling GraphQL subscriptions, which in some cases can cause the Router to experience an emergency and terminate...

Information Disclosure

@apollo/server and apollo-server-core are vulnerable to Information Disclosure. The vulnerability is due to a lack sensitive information masking such as Studio API keys which can end up getting logged if they are passed incorrectly with leading/trailing whitespace or if they have any invalid...

Prevent logging invalid header values

Impact What kind of vulnerability is it? Apollo Server can log sensitive information Studio API keys if they are passed incorrectly with leading/trailing whitespace or if they have any characters that are invalid as part of a header value. Who is impacted? Users who all of the below: use either t...

8base-cli (>=0.0.80 <=0.0.90), @3wks/gae-node-nestjs (>=0.1.3 <=5.2.0-rc3) +522 more potentially affected by unknown CVE via apollo-server-core (>=1.3.2 <=2.25.3)

apollo-server-core NPM version =1.3.2, =0.0.80, =0.1.3, =0.1.1, =2018.8.28-0, =0.0.1, =2.11.0, =0.0.1-alpha, =2.0.0, =0.1.0-alpha.10a87555, =0.1.0, =0.1.0, =0.1.0, =1.0.0, =1.1.0 and more Source cves: unknown CVE Source advisory: OSV:GHSA-J5G3-5C8R-7QFX...

@a11ywatch/a11ywatch (>=0.1.0 <=0.3.82), @a11ywatch/core (>=0.4.52 <=0.8.17) +23 more potentially affected by unknown CVE via apollo-server-core (>=3.10.0 <=3.12.0)

apollo-server-core NPM version =3.10.0, =0.1.0, =0.4.52, =4.9.2, =1.0.0, =1.1.0, =1.0.0, =0.1.0-alpha.0, =0.1.0-alpha.1, =0.1.0-alpha.0, =0.1.0-alpha.0, =0.1.0-alpha.0, =10.7.1, =3.0.0-beta.1, =9.0.0, =2.0.0-beta.7, =2.1.0-alpha.3 and more Source cves: unknown CVE Source advisory:...

PT-2023-33035 · Unknown · Apollo Server

Name of the Vulnerable Software and Affected Versions: Apollo Server versions prior to the latest version Description: The issue concerns Apollo Server logging sensitive information, specifically Studio API keys, under certain conditions. This occurs when API keys are passed with leading or...

Prevent logging invalid header values

Impact What kind of vulnerability is it? Apollo Server can log sensitive information Studio API keys if they are passed incorrectly with leading/trailing whitespace or if they have any characters that are invalid as part of a header value. Who is impacted? Users who all of the below: use either t...

apollo-core.com Cross Site Scripting vulnerability OBB-3439268

Following the coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has: a. verified the vulnerability and confirmed its existence; b. notified the website operator about its existence. Technical details of the vulnerability are currently hidde...

@apollo/server vulnerable to unsafe application of Content Security Policy via reused nonces

Context Content Security Policies CSP are a defense-in-depth strategy against XSS attacks. Improper application of CSP isn't itself a vulnerability, but it does fail to prevent XSS in the event that there is a viable attack vector for an XSS attack. Impact There aren't any XSS attack vectors via...

GHSA-68JH-RF6X-836F @apollo/server vulnerable to unsafe application of Content Security Policy via reused nonces

Context Content Security Policies CSP are a defense-in-depth strategy against XSS attacks. Improper application of CSP isn't itself a vulnerability, but it does fail to prevent XSS in the event that there is a viable attack vector for an XSS attack. Impact There aren't any XSS attack vectors via...

PT-2023-32982 · Apollo Graphql · Apollo Server

Name of the Vulnerable Software and Affected Versions: Apollo Server versions prior to 4.7.4 Description: The issue concerns the improper application of Content Security Policies CSP in Apollo Server's landing pages, which could fail to prevent XSS attacks if a viable attack vector exists. Althou...

3rd-Party Reddit App Apollo Forced to Shut Down Due to API Charges

By Waqas Apollo app will be shut down on June 30th, 2023. This is a post from HackRead.com Read the original post: 3rd-Party Reddit App Apollo Forced to Shut Down Due to API Charges...

Security Bulletin: Open Source Dependency Vulnerability

Summary IBM Edge Application Manager 4.5 has resolved the vulnerability. Vulnerability Details IBM X-Force ID: 239925 DESCRIPTION: Apollo GraphQL Apollo Server is vulnerable to web cache poisoning, caused by improper handling of cache-control response header. By modifying HTTP request headers, an...

apollo-automobil.com Cross Site Scripting vulnerability OBB-3303240

Following the coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has: a. verified the vulnerability and confirmed its existence; b. notified the website operator about its existence. Technical details of the vulnerability are currently hidde...

Apollo has potential access control security issue in eureka

Impact If users expose the apollo-configservice to the internet which is not recommended, there are potential security issues since there is no authentication feature enabled for the built-in eureka service. Malicious hackers may access eureka directly to mock apollo-configservice and...

GHSA-368X-WMMG-HQ5C Apollo has potential access control security issue in eureka

Impact If users expose the apollo-configservice to the internet which is not recommended, there are potential security issues since there is no authentication feature enabled for the built-in eureka service. Malicious hackers may access eureka directly to mock apollo-configservice and...

GHSA-FMXQ-V8MG-QH25 apollo-portal has potential CSRF issue

Impact A low-privileged user can create a special web page. If an authenticated portal admin visits this page, the page can silently send a request to assign new roles for that user without any confirmation from the Portal admin. Patches Cookie SameSite strategy was set to Lax in 4664 and was...

CVE-2023-25569

Apollo is a configuration management system. Prior to version 2.1.0, a low-privileged user can create a special web page. If an authenticated portal admin visits this page, the page can silently send a request to assign new roles for that user without any confirmation from the Portal admin. Cooki...