CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS
Percentile
31.4%
silverstripe/graphql is vulnerable to Distributed Denial Of Service attacks. The vulnerability is due to publicly exposed graphql schemas because it does not properly validate recursive queries, allowing an attacker to send recursive queries into the system.
docs.silverstripe.org/en/developer_guides/graphql/security_and_best_practices/recursive_or_complex_queries
github.com/silverstripe/silverstripe-graphql/commit/7638a3faf892742e8fa5a2baeb5252133d0e97a5
github.com/silverstripe/silverstripe-graphql/commit/f6d5976ec4608e51184b0db1ee5b9e9a99d2501c
github.com/silverstripe/silverstripe-graphql/security/advisories/GHSA-v23w-pppm-jh66
github.com/silverstripe/silverstripe-graphql/tree/3.8#recursive-or-complex-queries
www.silverstripe.org/download/security-releases/CVE-2023-40180