Common Weakness Enumeration

CWE-440

Allowed

Expected Behavior Violation

Abstraction: Base · Status: Draft

A feature, API, or function does not perform according to its specification.

79 vulnerabilities reference this CWE, most recent first.

GHSA-GV78-7QXH-6MJ5

Vulnerability from github – Published: 2022-05-24 17:03 – Updated: 2024-04-04 02:43
VLAI
Details

An exploitable denial-of-service vulnerability exists in the 802.11w security state handling for hostapd 2.6 connected clients with valid 802.11w sessions. By simulating an incomplete new association, an attacker can trigger a deauthentication against stations using 802.11w, resulting in a denial of service.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-5062"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-20",
      "CWE-346",
      "CWE-440"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-12-12T22:15:00Z",
    "severity": "MODERATE"
  },
  "details": "An exploitable denial-of-service vulnerability exists in the 802.11w security state handling for hostapd 2.6 connected clients with valid 802.11w sessions. By simulating an incomplete new association, an attacker can trigger a deauthentication against stations using 802.11w, resulting in a denial of service.",
  "id": "GHSA-gv78-7qxh-6mj5",
  "modified": "2024-04-04T02:43:12Z",
  "published": "2022-05-24T17:03:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-5062"
    },
    {
      "type": "WEB",
      "url": "https://talosintelligence.com/vulnerability_reports/TALOS-2019-0850"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-H95Q-MMMP-CM4M

Vulnerability from github – Published: 2025-07-11 15:31 – Updated: 2025-07-11 15:31
VLAI
Details

An Expected Behavior Violation vulnerability in the routing protocol daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved allows an unauthenticated adjacent attacker sending a valid BGP UPDATE packet to cause a BGP session reset, resulting in a Denial of Service (DoS). 

Continuous receipt and processing of this packet will create a sustained Denial of Service (DoS) condition.

This issue affects iBGP and eBGP and both IPv4 and IPv6 are affected by this vulnerability.

This issue affects Junos OS:

  • All versions before 21.2R3-S9,
  • from 21.4 before 21.4R3-S11,
  • from 22.2 before 22.2R3-S7,
  • from 22.4 before 22.4R3-S7,
  • from 23.2 before 23.2R2-S4,
  • from 23.4 before 23.4R2-S4,
  • from 24.2 before 24.2R2,
  • from 24.4 before 24.4R1-S3, 24.4R2

Junos OS Evolved:

  • All versions before 22.2R3-S7-EVO,
  • from 22.4-EVO before 22.4R3-S7-EVO,
  • from 23.2-EVO before 23.2R2-S4-EVO,
  • from 23.4-EVO before 23.4R2-S4-EVO,
  • from 24.2-EVO before 24.2R2-EVO,
  • from 24.4-EVO before 24.4R1-S3-EVO, 24.4R2-EVO.
Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-52953"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-440"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-07-11T15:15:26Z",
    "severity": "HIGH"
  },
  "details": "An Expected Behavior Violation\u00a0vulnerability in the routing protocol daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved allows an unauthenticated adjacent attacker sending a valid BGP UPDATE packet to cause a BGP session reset, resulting in a Denial of Service (DoS).\u00a0\n\nContinuous receipt and processing of this packet will create a sustained Denial of Service (DoS) condition.\n\nThis issue affects iBGP and eBGP and both IPv4 and IPv6 are affected by this vulnerability.\n\nThis issue affects Junos OS:\n\n\n  *  All versions before 21.2R3-S9,\n  *  from 21.4 before 21.4R3-S11,\n  *  from 22.2 before 22.2R3-S7,\n  *  from 22.4 before 22.4R3-S7,\n  *  from 23.2 before 23.2R2-S4,\n  *  from 23.4 before 23.4R2-S4,\n  *  from 24.2 before 24.2R2,\n  *  from 24.4 before 24.4R1-S3, 24.4R2\n\n\nJunos OS Evolved:\n\n\n\n  *  All versions before 22.2R3-S7-EVO,\n  *  from 22.4-EVO before 22.4R3-S7-EVO,\n  *  from 23.2-EVO before 23.2R2-S4-EVO,\n  *  from 23.4-EVO before 23.4R2-S4-EVO,\n  *  from 24.2-EVO before 24.2R2-EVO,\n  *  from 24.4-EVO before 24.4R1-S3-EVO, 24.4R2-EVO.",
  "id": "GHSA-h95q-mmmp-cm4m",
  "modified": "2025-07-11T15:31:38Z",
  "published": "2025-07-11T15:31:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-52953"
    },
    {
      "type": "WEB",
      "url": "https://supportportal.juniper.net/JSA100059"
    },
    {
      "type": "WEB",
      "url": "https://www.juniper.net/documentation/us/en/software/junos/bgp/topics/task/routing-protocol-bgp-security-configuring.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:A/V:C/RE:M/U:Amber",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-MP92-G2H5-GX86

Vulnerability from github – Published: 2025-03-06 12:30 – Updated: 2025-03-06 18:31
VLAI
Details

Expected Behavior Violation vulnerability in Apache Traffic Server.

This issue affects Apache Traffic Server: from 9.0.0 through 9.2.8, from 10.0.0 through 10.0.3.

Users are recommended to upgrade to versions 9.2.9 or 10.0.4 or newer, which fixes the issue.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-56202"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-440"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-03-06T11:15:11Z",
    "severity": "MODERATE"
  },
  "details": "Expected Behavior Violation vulnerability in Apache Traffic Server.\n\nThis issue affects Apache Traffic Server: from 9.0.0 through 9.2.8, from 10.0.0 through 10.0.3.\n\nUsers are recommended to upgrade to versions 9.2.9 or 10.0.4 or newer, which fixes the issue.",
  "id": "GHSA-mp92-g2h5-gx86",
  "modified": "2025-03-06T18:31:08Z",
  "published": "2025-03-06T12:30:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-56202"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread/btofzws2yqskk2n7f01r3l1819x01023"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MRR8-V49W-3333

Vulnerability from github – Published: 2023-07-10 19:08 – Updated: 2025-08-14 19:15
VLAI
Summary
sweetalert2 contains potentially undesirable behavior
Details

sweetalert2 versions from 11.6.14 to before 11.22.4 have potentially undesirable behavior. The package outputs audio and/or video messages that do not pertain to the functionality of the package when run on specific tlds. This functionality is documented on the project's readme.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "sweetalert2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "11.6.14"
            },
            {
              "fixed": "11.22.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-440"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-07-10T19:08:10Z",
    "nvd_published_at": null,
    "severity": "LOW"
  },
  "details": "`sweetalert2` versions from 11.6.14 to before 11.22.4 have potentially undesirable behavior. The package outputs audio and/or video messages that do not pertain to the functionality of the package when run on specific tlds. This functionality is documented on the project\u0027s readme.",
  "id": "GHSA-mrr8-v49w-3333",
  "modified": "2025-08-14T19:15:04Z",
  "published": "2023-07-10T19:08:10Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/sweetalert2/sweetalert2/pull/2847"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sweetalert2/sweetalert2/commit/7de85db5c76ba3ef5f0cdbc335bbc4a7c559e012"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/sweetalert2/sweetalert2"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sweetalert2/sweetalert2/releases/tag/v11.4.9"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sweetalert2/sweetalert2/tree/6d02e1095e5d9db1dfa7f0708df6fa13a1b32be3#important-notice-about-usage-of-this-software-for-ru-su-and-%D1%80%D1%84-domain-zones"
    },
    {
      "type": "WEB",
      "url": "https://www.npmjs.com/package/sweetalert2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "sweetalert2 contains potentially undesirable behavior"
}

GHSA-P7J4-JWJF-5X9W

Vulnerability from github – Published: 2025-07-07 12:30 – Updated: 2025-07-08 00:03
VLAI
Summary
LlamaIndex vulnerability in ArxivReader class can cause MD5 hash collisions
Details

A vulnerability in the ArxivReader class of the run-llama/llama_index repository allows for MD5 hash collisions when generating filenames for downloaded papers. This can lead to data loss as papers with identical titles but different contents may overwrite each other, preventing some papers from being processed for AI model training. The issue is resolved in llama-index-readers-papers version 0.3.1 (in llama-index 0.12.28).

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "llama-index-readers-papers"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.3.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-3044"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-440"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-07-08T00:03:54Z",
    "nvd_published_at": "2025-07-07T10:15:26Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability in the ArxivReader class of the run-llama/llama_index repository allows for MD5 hash collisions when generating filenames for downloaded papers. This can lead to data loss as papers with identical titles but different contents may overwrite each other, preventing some papers from being processed for AI model training. The issue is resolved in llama-index-readers-papers version 0.3.1 (in llama-index 0.12.28).",
  "id": "GHSA-p7j4-jwjf-5x9w",
  "modified": "2025-07-08T00:03:54Z",
  "published": "2025-07-07T12:30:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-3044"
    },
    {
      "type": "WEB",
      "url": "https://github.com/run-llama/llama_index/commit/0008041e8dde8e519621388e5d6f558bde6ef42e"
    },
    {
      "type": "WEB",
      "url": "https://github.com/run-llama/llama_index/commit/f69e1c0e7579228fec4cfaf716e4f951e131de77"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/run-llama/llama_index"
    },
    {
      "type": "WEB",
      "url": "https://huntr.com/bounties/80182c3a-876f-422f-8bac-38267e0345d6"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "LlamaIndex vulnerability in ArxivReader class can cause MD5 hash collisions"
}

GHSA-PQ3W-WPR9-Q68M

Vulnerability from github – Published: 2022-04-30 00:02 – Updated: 2022-04-30 00:02
VLAI
Details

The monitor barrier of the affected products insufficiently blocks data from being forwarded over the mirror port into the mirrored network. An attacker could use this behavior to transmit malicious packets to systems in the mirrored network, possibly influencing their configuration and runtime behavior.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-6569"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-440"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-03-26T22:29:00Z",
    "severity": "CRITICAL"
  },
  "details": "The monitor barrier of the affected products insufficiently blocks data from being forwarded over the mirror port into the mirrored network. An attacker could use this behavior to transmit malicious packets to systems in the mirrored network, possibly influencing their configuration and runtime behavior.",
  "id": "GHSA-pq3w-wpr9-q68m",
  "modified": "2022-04-30T00:02:14Z",
  "published": "2022-04-30T00:02:14Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-6569"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-557804.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PW6W-RVW4-J57R

Vulnerability from github – Published: 2025-12-05 00:31 – Updated: 2025-12-10 18:30
VLAI
Details

An Expected Behavior Violation [CWE-440] vulnerability in WatchGuard Fireware OS may allow an attacker to bypass the Fireware OS boot time system integrity check and prevent the Firebox from shutting down in the event of a system integrity check failure. The on-demand system integrity check in the Fireware Web UI will correctly show a failed system integrity check message in the event of a failure.This issue affects Fireware OS: from 12.8.1 through 12.11.4, from 2025.1 through 2025.1.2.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-13940"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-440"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-04T22:15:48Z",
    "severity": "MODERATE"
  },
  "details": "An Expected Behavior Violation [CWE-440] vulnerability in WatchGuard Fireware OS may allow an attacker to bypass the Fireware OS boot time system integrity check and prevent the Firebox from shutting down in the event of a system integrity check failure. The on-demand system integrity check in the Fireware Web UI will correctly show a failed system integrity check message in the event of a failure.This issue affects Fireware OS: from 12.8.1 through 12.11.4, from 2025.1 through 2025.1.2.",
  "id": "GHSA-pw6w-rvw4-j57r",
  "modified": "2025-12-10T18:30:22Z",
  "published": "2025-12-05T00:31:05Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13940"
    },
    {
      "type": "WEB",
      "url": "https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2025-00026"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-Q946-P8HR-8Q7P

Vulnerability from github – Published: 2026-06-15 21:30 – Updated: 2026-06-15 21:30
VLAI
Details

Unauthenticated Bypass Vulnerability in Stripe Payments <= 2.0.98 versions.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-42752"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-440"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-15T21:16:57Z",
    "severity": "MODERATE"
  },
  "details": "Unauthenticated Bypass Vulnerability in Stripe Payments \u003c= 2.0.98 versions.",
  "id": "GHSA-q946-p8hr-8q7p",
  "modified": "2026-06-15T21:30:48Z",
  "published": "2026-06-15T21:30:47Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42752"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/wordpress/plugin/stripe-payments/vulnerability/wordpress-stripe-payments-plugin-2-0-98-bypass-vulnerability-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-Q9P4-HW9M-FJ2V

Vulnerability from github – Published: 2024-05-02 08:20 – Updated: 2024-05-02 19:35
VLAI
Summary
Apollo Router vulnerable to Critical Regression In Query Plan Cache
Details

Impact

Any instance of Apollo Router 1.44.0 or 1.45.0 that is using Distributed Query Plan Caching is impacted. These versions were released on 2024-04-12 and 2024-04-22 respectively.

The affected versions of Apollo Router contain a bug that could lead to unexpected operations being executed, which can result in unintended data or effects. This only affects Router instances configured to use distributed query plan caching. Router versions other than the ones listed above, and all Router deployments that are not using distributed query plan caching, are unaffected by this defect.

If you are using the affected versions, you can check your router’s configuration YAML to verify if you are impacted:

supergraph:
  query_planning:
    cache:
      # Look for this config below
      redis:
        urls: ["redis://..."]

A full reference on the Distributed Query Plan Caching feature is available here.

Impact detail

The root cause of this defect is a bug in Apollo Router’s cache retrieval logic: When this defect is present and distributed query planning caching is enabled, asking the Router to execute an operation (whether it is a query, a mutation, or a subscription) may result in an unexpected variation of that operation being executed or the generation of unexpected errors.

The issue stems from inadvertently executing a modified version of a previously executed operation, whose query plan is stored in the underlying cache (specifically, Redis). Depending on the type of the operation, the result may vary. For a query, results may be fetched that don’t match what was requested (e.g., rather than running fetchUsers(type: ENTERPRISE) the Router may run fetchUsers(type: TRIAL). For a mutation, this may result in incorrect mutations being sent to underlying subgraph servers (e.g., rather than sending deleteUser(id: 10) to a subgraph, the Router may run deleteUser(id: 12).

Patches

Apollo Router 1.45.1

If you are using distributed query plan caching, please either upgrade to version 1.45.1 or above or downgrade to version 1.43.2 of the Apollo Router. We do not recommend Apollo Router versions 1.44.0 or 1.45.0 for use and have withdrawn these releases. If you use impacted versions in production, we recommend that you migrate away immediately by redeploying to an unaffected Router version. For non-production use cases, we recommend you migrate at your earliest convenience.

Workarounds

If you cannot upgrade or downgrade, you can disable distributed query plan caching by removing the supergraph.query_planning.cache.redis.urls configuration. Please note that when distributed query plan caching is disabled, each Router instance will maintain its own in-memory query plan cache. This may increase resource utilization for each Router instance and could increase cold-start times as each Router instance builds its query plan cache.

References

Apollo Router 1.45.1 Release Notes

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "apollo-router"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.44.0"
            },
            {
              "fixed": "1.45.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-32971"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-440"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-05-02T08:20:00Z",
    "nvd_published_at": "2024-05-02T07:15:21Z",
    "severity": "CRITICAL"
  },
  "details": "### Impact\nAny instance of Apollo Router 1.44.0 or 1.45.0 that is using Distributed Query Plan Caching is impacted. These versions were released on 2024-04-12 and 2024-04-22 respectively.\n\nThe affected versions of Apollo Router contain a bug that could lead to unexpected operations being executed, which can result in unintended data or effects. This only affects Router instances configured to use distributed query plan caching. Router versions other than the ones listed above, and all Router deployments that are not using distributed query plan caching, are unaffected by this defect.\n\nIf you are using the affected versions, you can check your router\u2019s configuration YAML to verify if you are impacted:\n\n\n```yaml\nsupergraph:\n  query_planning:\n    cache:\n      # Look for this config below\n      redis:\n        urls: [\"redis://...\"]\n```\nA full reference on the[ Distributed Query Plan Caching feature is available here.](https://www.apollographql.com/docs/router/configuration/distributed-caching/#distributed-query-plan-caching)\n\n### Impact detail\nThe root cause of this defect is a bug in Apollo Router\u2019s cache retrieval logic: When this defect is present and distributed query planning caching is enabled, asking the Router to execute an operation (whether it is a query, a mutation, or a subscription) may result in an unexpected variation of that operation being executed or the generation of unexpected errors.  \n\nThe issue stems from inadvertently executing a modified version of a previously executed operation, whose query plan is stored in the underlying cache (specifically, Redis). Depending on the type of the operation, the result may vary.  For a query, results may be fetched that don\u2019t match what was requested (e.g., rather than running `fetchUsers(type: ENTERPRISE)` the Router may run `fetchUsers(type: TRIAL)`.  For a mutation, this may result in incorrect mutations being sent to underlying subgraph servers (e.g., rather than sending `deleteUser(id: 10)` to a subgraph, the Router may run `deleteUser(id: 12)`.\n\n### Patches\nApollo Router 1.45.1\n\nIf you are using distributed query plan caching, please either upgrade to version 1.45.1 or above or downgrade to version 1.43.2 of the Apollo Router. We do not recommend Apollo Router versions 1.44.0 or 1.45.0 for use and have withdrawn these releases. If you use impacted versions in production, we recommend that you migrate away immediately by redeploying to an unaffected Router version. For non-production use cases, we recommend you migrate at your earliest convenience.\n\n### Workarounds\nIf you cannot upgrade or downgrade, you can disable distributed query plan caching by removing the `supergraph.query_planning.cache.redis.urls` configuration. Please note that when distributed query plan caching is disabled, each Router instance will maintain its own in-memory query plan cache. This may increase resource utilization for each Router instance and could increase cold-start times as each Router instance builds its query plan cache.\n\n### References\n[Apollo Router 1.45.1 Release Notes](https://github.com/apollographql/router/releases/tag/v1.45.1)",
  "id": "GHSA-q9p4-hw9m-fj2v",
  "modified": "2024-05-02T19:35:51Z",
  "published": "2024-05-02T08:20:00Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/apollographql/router/security/advisories/GHSA-q9p4-hw9m-fj2v"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32971"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apollographql/router/commit/ff9f666598cd17661880fe7fc6e9c9611316e529"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/apollographql/router"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apollographql/router/releases/tag/v1.45.1"
    },
    {
      "type": "WEB",
      "url": "https://www.apollographql.com/docs/router/configuration/distributed-caching/#distributed-query-plan-caching"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Apollo Router vulnerable to Critical Regression In Query Plan Cache"
}

GHSA-QC4V-XQ2M-65WC

Vulnerability from github – Published: 2024-10-03 16:51 – Updated: 2024-10-03 18:41
VLAI
Summary
Unexpected visibility of environment variable configurations in @backstage/plugin-app-backend
Details

Impact

Configuration supplied through APP_CONFIG_* environment variables, for example APP_CONFIG_backend_listen_port=7007, where unexpectedly ignoring the visibility defined in configuration schema. This occurred even if the configuration schema specified that they should have backend or secret visibility. This was an intended feature of the APP_CONFIG_* way of supplying configuration, but now clearly goes against the expected behavior of the configuration system. This behavior leads to a risk of potentially exposing sensitive configuration details intended to remain private or restricted to backend processes.

Patches

The issue has been resolved in version 0.3.75 of the @backstage/plugin-app-backend package. Users are encouraged to upgrade to this version to mitigate the vulnerability.

Workarounds

As a temporary measure, avoid supplying secrets using the APP_CONFIG_ configuration pattern. Consider alternative methods for setting secrets, such as the environment substitution available for Backstage configuration.

References

If you have any questions or comments about this advisory:

Open an issue in the Backstage repository Visit our Discord, linked to in Backstage README

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@backstage/plugin-app-backend"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.3.75"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-47762"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-440"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-10-03T16:51:24Z",
    "nvd_published_at": "2024-10-03T18:15:05Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nConfiguration supplied through `APP_CONFIG_*` environment variables, for example `APP_CONFIG_backend_listen_port=7007`, where unexpectedly ignoring the visibility defined in configuration schema. This occurred even if the configuration schema specified that they should have backend or secret visibility. This was an intended feature of the `APP_CONFIG_*` way of supplying configuration, but now clearly goes against the expected behavior of the configuration system. This behavior leads to a risk of potentially exposing sensitive configuration details intended to remain private or restricted to backend processes.\n\n### Patches\n\nThe issue has been resolved in version `0.3.75` of the `@backstage/plugin-app-backend` package. Users are encouraged to upgrade to this version to mitigate the vulnerability.\n\n### Workarounds\n\nAs a temporary measure, avoid supplying secrets using the `APP_CONFIG_` configuration pattern. Consider alternative methods for setting secrets, such as the [environment substitution](https://backstage.io/docs/conf/writing#environment-variable-substitution) available for Backstage configuration.\n\n### References\n\nIf you have any questions or comments about this advisory:\n\nOpen an issue in the [Backstage repository](https://github.com/backstage/backstage)\nVisit our Discord, linked to in [Backstage README](https://github.com/backstage/backstage)\n",
  "id": "GHSA-qc4v-xq2m-65wc",
  "modified": "2024-10-03T18:41:10Z",
  "published": "2024-10-03T16:51:24Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/backstage/backstage/security/advisories/GHSA-qc4v-xq2m-65wc"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47762"
    },
    {
      "type": "WEB",
      "url": "https://github.com/backstage/backstage/commit/323e6129073c5cb4cc106a1239eaec31a129554f"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/backstage/backstage"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Unexpected visibility of environment variable configurations in @backstage/plugin-app-backend"
}

No mitigation information available for this CWE.

No CAPEC attack patterns related to this CWE.