Lucene search

K

Veracode Vulnerability DatabaseVERACODE:43859

HistoryOct 18, 2023 - 6:02 a.m.

Distributed Denial Of Service (DDoS)

2023-10-1806:02:48

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

9

distributed denial of service

vulnerability

silverstripe/graphql

recursive queries

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.001

Percentile

31.4%

silverstripe/graphql is vulnerable to Distributed Denial Of Service attacks. The vulnerability is due to publicly exposed graphql schemas because it does not properly validate recursive queries, allowing an attacker to send recursive queries into the system.

References

docs.silverstripe.org/en/developer_guides/graphql/security_and_best_practices/recursive_or_complex_queries

github.com/silverstripe/silverstripe-graphql/commit/7638a3faf892742e8fa5a2baeb5252133d0e97a5

github.com/silverstripe/silverstripe-graphql/commit/f6d5976ec4608e51184b0db1ee5b9e9a99d2501c

github.com/silverstripe/silverstripe-graphql/security/advisories/GHSA-v23w-pppm-jh66

github.com/silverstripe/silverstripe-graphql/tree/3.8#recursive-or-complex-queries

www.silverstripe.org/download/security-releases/CVE-2023-40180

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.001

Percentile

31.4%

Related for VERACODE:43859

osv2 vulnrichment1 cve1 friendsofphp1 prion1 cvelist1 github1 nvd1