GHSA-M8JR-FXQX-8XX6 Apollo Federation has Improper Enforcement of Access Control on Transitive Fields

Summary A vulnerability in Apollo Federation's composition logic did not enforce that fields depending on protected data through @requires and/or @fromContext directives have the same access control requirements as the fields they reference. This allowed queries to access protected fields...

@apollo/composition has Improper Enforcement of Access Control on Interface Types and Fields

Summary A vulnerability in Apollo Federation's composition logic allowed some queries to Apollo Router to improperly bypass access controls on types/fields. Apollo Federation incorrectly allowed user-defined access control directives on interface types/fields, which could be bypassed by instead...

PT-2024-13615 · Shrubbery · Tac Plus

Name of the Vulnerable Software and Affected Versions: Shrubbery tac plus versions 2.x through 4.x and versions up to F4.0.4.28 Description: The issue allows unauthenticated Remote Command Execution. It is caused by the product's ability to configure authorization checks as shell commands through...