CWE-703
DiscouragedImproper Check or Handling of Exceptional Conditions
Abstraction: Pillar · Status: Incomplete
The product does not properly anticipate or handle exceptional conditions that rarely occur during normal operation of the product.
210 vulnerabilities reference this CWE, most recent first.
GHSA-PQJ7-JX24-WJ7W
Vulnerability from github – Published: 2023-05-11 19:40 – Updated: 2023-05-11 19:40Impact
Users can either intentionally or inadvertently create a shard containing / characters from VTAdmin such that from that point on, anyone who tries to create a new shard from VTAdmin will receive an error.
Attempting to view the keyspace(s) will also no longer work.
Creating a shard using vtctldclient does not have the same problem because the CLI validates the input correctly.
Patches
v16.0.2, corresponding to 0.16.2 on pkg.go.dev
Workarounds
- Always use
vtctldclientto create shards, instead of using VTAdmin - Disable creating shards from VTAdmin using RBAC
- Delete the topology record for the offending shard using the client for your topology server. For example, if you created a shard called
a/bin keyspacecommerce, and you are running etcd, it can be deleted by doing something like
% etcdctl --endpoints "http://${ETCD_SERVER}" del /vitess/global/keyspaces/commerce/shards/a/b/Shard
References
https://github.com/vitessio/vitess/issues/12842
Found during a security audit sponsored by the CNCF and facilitated by OSTIF.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "vitess.io/vitess"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.16.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-29195"
],
"database_specific": {
"cwe_ids": [
"CWE-20",
"CWE-703"
],
"github_reviewed": true,
"github_reviewed_at": "2023-05-11T19:40:49Z",
"nvd_published_at": "2023-05-11T20:15:09Z",
"severity": "MODERATE"
},
"details": "### Impact\nUsers can either intentionally or inadvertently create a shard containing `/` characters from VTAdmin such that from that point on, anyone who tries to create a new shard from VTAdmin will receive an error. \nAttempting to view the keyspace(s) will also no longer work.\nCreating a shard using `vtctldclient` does not have the same problem because the CLI validates the input correctly.\n\n### Patches\nv16.0.2, corresponding to [0.16.2 on pkg.go.dev](https://pkg.go.dev/vitess.io/vitess@v0.16.2)\n\n### Workarounds\n- Always use `vtctldclient` to create shards, instead of using VTAdmin\n- Disable creating shards from VTAdmin using RBAC\n- Delete the topology record for the offending shard using the client for your topology server. For example, if you created a shard called `a/b` in keyspace `commerce`, and you are running etcd, it can be deleted by doing something like\n```\n% etcdctl --endpoints \"http://${ETCD_SERVER}\" del /vitess/global/keyspaces/commerce/shards/a/b/Shard\n```\n\n### References\nhttps://github.com/vitessio/vitess/issues/12842\n\nFound during a security audit sponsored by the [CNCF](https://cncf.io) and facilitated by [OSTIF](https://ostif.org).",
"id": "GHSA-pqj7-jx24-wj7w",
"modified": "2023-05-11T19:40:49Z",
"published": "2023-05-11T19:40:49Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/vitessio/vitess/security/advisories/GHSA-pqj7-jx24-wj7w"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-29195"
},
{
"type": "WEB",
"url": "https://github.com/vitessio/vitess/issues/12842"
},
{
"type": "WEB",
"url": "https://github.com/vitessio/vitess/pull/12843"
},
{
"type": "WEB",
"url": "https://github.com/vitessio/vitess/commit/9dcbd7de3180f47e94f54989fb5c66daea00c920"
},
{
"type": "PACKAGE",
"url": "https://github.com/vitessio/vitess"
},
{
"type": "WEB",
"url": "https://github.com/vitessio/vitess/releases/tag/v16.0.2"
},
{
"type": "WEB",
"url": "https://pkg.go.dev/vitess.io/vitess@v0.16.2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:L",
"type": "CVSS_V3"
}
],
"summary": "VTAdmin users that can create shards can deny access to other functions"
}
GHSA-PVGQ-2PR4-WXJ6
Vulnerability from github – Published: 2026-02-03 18:30 – Updated: 2026-02-11 18:31chetans9 core-php-admin-panel through commit a94a780d6 contains an authentication bypass vulnerability in includes/auth_validate.php. The application sends an HTTP redirect via header(Location:login.php) when a user is not authenticated but fails to call exit() afterward. This allows remote unauthenticated attackers to access protected pages.customer database.
{
"affected": [],
"aliases": [
"CVE-2025-70758"
],
"database_specific": {
"cwe_ids": [
"CWE-703"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-03T18:16:18Z",
"severity": "HIGH"
},
"details": "chetans9 core-php-admin-panel through commit a94a780d6 contains an authentication bypass vulnerability in includes/auth_validate.php. The application sends an HTTP redirect via header(Location:login.php) when a user is not authenticated but fails to call exit() afterward. This allows remote unauthenticated attackers to access protected pages.customer database.",
"id": "GHSA-pvgq-2pr4-wxj6",
"modified": "2026-02-11T18:31:25Z",
"published": "2026-02-03T18:30:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-70758"
},
{
"type": "WEB",
"url": "https://github.com/XavLimSG/Vulnerability-Research/tree/main/CVE-2025-70758"
},
{
"type": "WEB",
"url": "https://github.com/chetans9/core-php-admin-panel"
},
{
"type": "WEB",
"url": "https://github.com/chetans9/core-php-admin-panel/blob/master/includes/auth_validate.php"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-PVXC-5V6M-8CM2
Vulnerability from github – Published: 2025-11-11 18:30 – Updated: 2025-11-19 21:31Incorrect boundary conditions in the JavaScript: WebAssembly component. This vulnerability affects Firefox < 145 and Firefox ESR < 140.5.
{
"affected": [],
"aliases": [
"CVE-2025-13016"
],
"database_specific": {
"cwe_ids": [
"CWE-703"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-11-11T16:15:38Z",
"severity": "HIGH"
},
"details": "Incorrect boundary conditions in the JavaScript: WebAssembly component. This vulnerability affects Firefox \u003c 145 and Firefox ESR \u003c 140.5.",
"id": "GHSA-pvxc-5v6m-8cm2",
"modified": "2025-11-19T21:31:17Z",
"published": "2025-11-11T18:30:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13016"
},
{
"type": "WEB",
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1992130"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2025-87"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2025-88"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2025-90"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2025-91"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-PX74-PRRR-J3JP
Vulnerability from github – Published: 2023-07-14 18:31 – Updated: 2024-04-04 06:08An Improper Check or Handling of Exceptional Conditions vulnerability in the Layer-2 control protocols daemon (l2cpd) of Juniper Networks Junos OS and Junos OS Evolved allows an unauthenticated adjacent attacker to cause a Denial of Service (DoS).
When a malformed LLDP packet is received, l2cpd will crash and restart. The impact of the l2cpd crash is reinitialization of STP protocols (RSTP, MSTP or VSTP), and MVRP and ERP. Also, if any services depend on LLDP state (like PoE or VoIP device recognition), then these will also be affected. Continued receipt of such packets will lead to a sustained Denial of Service.
This issue affects: Juniper Networks Junos OS 21.4 versions prior to 21.4R3-S3; 22.1 versions prior to 22.1R3-S3; 22.2 versions prior to 22.2R2-S1, 22.2R3; 22.3 versions prior to 22.3R2.
Juniper Networks Junos OS Evolved 21.4-EVO versions prior to 21.4R3-S2-EVO; 22.1-EVO versions prior to 22.1R3-S3-EVO; 22.2-EVO versions prior to 22.2R2-S1-EVO, 22.2R3-EVO; 22.3-EVO versions prior to 22.3R2-EVO.
{
"affected": [],
"aliases": [
"CVE-2023-36849"
],
"database_specific": {
"cwe_ids": [
"CWE-703"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-07-14T18:15:10Z",
"severity": "MODERATE"
},
"details": "An Improper Check or Handling of Exceptional Conditions vulnerability in the Layer-2 control protocols daemon (l2cpd) of Juniper Networks Junos OS and Junos OS Evolved allows an unauthenticated adjacent attacker to cause a Denial of Service (DoS).\n\nWhen a malformed LLDP packet is received, l2cpd will crash and restart. The impact of the l2cpd crash is reinitialization of STP protocols (RSTP, MSTP or VSTP), and MVRP and ERP. Also, if any services depend on LLDP state (like PoE or VoIP device recognition), then these will also be affected. Continued receipt of such packets will lead to a sustained Denial of Service.\n\nThis issue affects:\nJuniper Networks Junos OS\n21.4 versions prior to 21.4R3-S3;\n22.1 versions prior to 22.1R3-S3;\n22.2 versions prior to 22.2R2-S1, 22.2R3;\n22.3 versions prior to 22.3R2.\n\nJuniper Networks Junos OS Evolved\n21.4-EVO versions prior to 21.4R3-S2-EVO;\n22.1-EVO versions prior to 22.1R3-S3-EVO;\n22.2-EVO versions prior to 22.2R2-S1-EVO, 22.2R3-EVO;\n22.3-EVO versions prior to 22.3R2-EVO.\n",
"id": "GHSA-px74-prrr-j3jp",
"modified": "2024-04-04T06:08:53Z",
"published": "2023-07-14T18:31:03Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-36849"
},
{
"type": "WEB",
"url": "https://supportportal.juniper.net/JSA71660"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-Q7G2-V5XX-CMXX
Vulnerability from github – Published: 2023-03-24 21:30 – Updated: 2023-03-30 15:30In updateInputChannel of WindowManagerService.java, there is a possible way to set a touchable region beyond its own SurfaceControl due to a logic error in the code. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-254681548
{
"affected": [],
"aliases": [
"CVE-2023-21026"
],
"database_specific": {
"cwe_ids": [
"CWE-703"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-03-24T20:15:00Z",
"severity": "MODERATE"
},
"details": "In updateInputChannel of WindowManagerService.java, there is a possible way to set a touchable region beyond its own SurfaceControl due to a logic error in the code. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-254681548",
"id": "GHSA-q7g2-v5xx-cmxx",
"modified": "2023-03-30T15:30:20Z",
"published": "2023-03-24T21:30:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-21026"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/pixel/2023-03-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-QFC7-WQHW-2Q8R
Vulnerability from github – Published: 2025-10-15 15:30 – Updated: 2026-01-23 21:30Under undisclosed traffic conditions along with conditions beyond the attacker's control, hardware systems with a High-Speed Bridge (HSB) may experience a lockup of the HSB.
Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
{
"affected": [],
"aliases": [
"CVE-2025-58153"
],
"database_specific": {
"cwe_ids": [
"CWE-667",
"CWE-703"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-15T14:15:52Z",
"severity": "HIGH"
},
"details": "Under undisclosed traffic conditions along with conditions beyond the attacker\u0027s control, hardware systems with a High-Speed Bridge (HSB) may experience a lockup of the HSB.\n\n\u00a0Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.",
"id": "GHSA-qfc7-wqhw-2q8r",
"modified": "2026-01-23T21:30:39Z",
"published": "2025-10-15T15:30:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58153"
},
{
"type": "WEB",
"url": "https://my.f5.com/manage/s/article/K000151658"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-QJH3-4J3H-VMWP
Vulnerability from github – Published: 2025-01-13 16:13 – Updated: 2025-01-14 21:07Summary
The issue was identified during Quarkslab's security audit on the Certificate Revocation List (CRL) based revocation check feature. After retrieving the CRL, notation-go attempts to update the CRL cache using the os.Rename method. However, this operation may fail due to operating system-specific limitations, particularly when the source and destination paths are on different mount points. This failure could lead to an unexpected program termination.
Details
In method crl.(*FileCache).Set, a temporary file is created in the OS dedicated area (like /tmp for, usually, Linux/Unix). The file is written and then it is tried to move it to the dedicated notation cache directory thanks os.Rename. As specified in Go documentation, OS specific restriction may apply. When used with Linux OS, it is relying on rename syscall from the libc and as per the documentation, moving a file to a different mountpoint raises an EXDEV error, interpreted as Cross device link not permitted error.
Some Linux distribution, like RedHat use a dedicated filesystem (tmpfs), mounted on a specific mountpoint (usually /tmp) for temporary files. When using such OS, revocation check based on CRL will repeatedly crash notation.
PoC
- Ensure that the temporary file storage area (e.g., /tmp) is mounted on a different mount point than the user's 'notation' cache directory.
- Either disable the Online Certificate Status Protocol (OCSP) revocation check, or utilize certificates that exclusively support Certificate Revocation Lists (CRLs) for revocation check.
- Try to verify a previously generated signature using the 'notation' tool.
Impact
The signature verification process is aborted as process crashes.
Remediation
The cache file should be created, written, then copied to the wanted final location, and finally removed. Additionally, this error shouldn't lead to a crash as it is not fatal and shouldn't prevent the rest of the program to properly continue
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/notaryproject/notation-go"
},
"ranges": [
{
"events": [
{
"introduced": "1.3.0-rc.1"
},
{
"fixed": "1.3.0-rc.2"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.3.0-rc.1"
]
}
],
"aliases": [
"CVE-2024-51491"
],
"database_specific": {
"cwe_ids": [
"CWE-703"
],
"github_reviewed": true,
"github_reviewed_at": "2025-01-13T16:13:59Z",
"nvd_published_at": "2025-01-13T22:15:13Z",
"severity": "LOW"
},
"details": "### Summary\nThe issue was identified during Quarkslab\u0027s security audit on the Certificate Revocation List (CRL) based revocation check feature.\nAfter retrieving the CRL, notation-go attempts to update the CRL cache using the os.Rename method. However, this operation may fail due to operating system-specific limitations, particularly when the source and destination paths are on different mount points. This failure could lead to an unexpected program termination.\n\n### Details\n\nIn method `crl.(*FileCache).Set`, a temporary file is created in the OS dedicated area (like /tmp for, usually, Linux/Unix). The file is written and then it is tried to move it to the dedicated `notation` cache directory thanks `os.Rename`. As specified in Go documentation, OS specific restriction may apply. When used with Linux OS, it is relying on `rename` syscall from the libc and as per the [documentation](https://man7.org/linux/man-pages/man2/rename.2.html), moving a file to a different mountpoint raises an `EXDEV` error, interpreted as `Cross device link not permitted error`.\nSome Linux distribution, like `RedHat` use a dedicated filesystem (`tmpfs`), mounted on a specific mountpoint (usually `/tmp`) for temporary files. When using such OS, revocation check based on CRL will repeatedly crash `notation`. \n\n### PoC\n1. Ensure that the temporary file storage area (e.g., /tmp) is mounted on a different mount point than the user\u0027s \u0027notation\u0027 cache directory.\n2. Either disable the Online Certificate Status Protocol (OCSP) revocation check, or utilize certificates that exclusively support Certificate Revocation Lists (CRLs) for revocation check.\n3. Try to verify a previously generated signature using the \u0027notation\u0027 tool.\n\n### Impact\nThe signature verification process is aborted as process crashes.\n\n### Remediation\nThe cache file should be created, written, then copied to the wanted final location, and finally removed. Additionally, this error shouldn\u0027t lead to a crash as it is not fatal and shouldn\u0027t prevent the rest of the program to properly continue\n",
"id": "GHSA-qjh3-4j3h-vmwp",
"modified": "2025-01-14T21:07:52Z",
"published": "2025-01-13T16:13:59Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/notaryproject/notation-go/security/advisories/GHSA-qjh3-4j3h-vmwp"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-51491"
},
{
"type": "WEB",
"url": "https://github.com/notaryproject/notation-go/commit/3c3302258ad510fbca2f8a73731569d91f07d196"
},
{
"type": "PACKAGE",
"url": "https://github.com/notaryproject/notation-go"
},
{
"type": "WEB",
"url": "https://man7.org/linux/man-pages/man2/rename.2.html"
},
{
"type": "WEB",
"url": "https://pkg.go.dev/vuln/GO-2025-3382"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
],
"summary": "notation-go has an OS error when setting CRL cache leads to denial of signature verification"
}
GHSA-QM62-5PC4-C833
Vulnerability from github – Published: 2022-10-14 19:00 – Updated: 2025-05-14 18:30The DFX unwind stack module of the ArkCompiler has a vulnerability in interface calling.Successful exploitation of this vulnerability affects system services and device availability.
{
"affected": [],
"aliases": [
"CVE-2022-41589"
],
"database_specific": {
"cwe_ids": [
"CWE-703"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-10-14T16:15:00Z",
"severity": "HIGH"
},
"details": "The DFX unwind stack module of the ArkCompiler has a vulnerability in interface calling.Successful exploitation of this vulnerability affects system services and device availability.",
"id": "GHSA-qm62-5pc4-c833",
"modified": "2025-05-14T18:30:34Z",
"published": "2022-10-14T19:00:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41589"
},
{
"type": "WEB",
"url": "https://consumer.huawei.com/en/support/bulletin/2022/10"
},
{
"type": "WEB",
"url": "https://device.harmonyos.com/en/docs/security/update/security-bulletins-phones-202210-0000001416095697"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-QVJG-564F-22C8
Vulnerability from github – Published: 2022-05-24 17:45 – Updated: 2025-10-22 00:32An improper boundary check in DSP driver prior to SMR Mar-2021 Release 1 allows out of bounds memory access.
{
"affected": [],
"aliases": [
"CVE-2021-25372"
],
"database_specific": {
"cwe_ids": [
"CWE-703",
"CWE-787"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-03-26T19:15:00Z",
"severity": "HIGH"
},
"details": "An improper boundary check in DSP driver prior to SMR Mar-2021 Release 1 allows out of bounds memory access.",
"id": "GHSA-qvjg-564f-22c8",
"modified": "2025-10-22T00:32:05Z",
"published": "2022-05-24T17:45:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25372"
},
{
"type": "WEB",
"url": "https://security.samsungmobile.com"
},
{
"type": "WEB",
"url": "https://security.samsungmobile.com/securityUpdate.smsb"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-25372"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-R344-XW3P-2FRJ
Vulnerability from github – Published: 2023-10-19 16:08 – Updated: 2023-10-19 16:08Impact
The Apollo Router is a configurable, high-performance graph router written in Rust to run a federated supergraph that uses Apollo Federation. Affected versions are subject to a Denial-of-Service (DoS) type vulnerability which causes the Router to panic and terminate when a multi-part response is sent. When users send queries to the router that uses the @defer or Subscriptions, the Router will panic.
To be vulnerable, users of Router must have a coprocessor with coprocessor.supergraph.response configured in their router.yaml and also to support either @defer or Subscriptions.
Patches
Router version 1.33.0 has a fix for this vulnerability. https://github.com/apollographql/router/pull/4014 fixes the issue.
Workarounds
For affected versions, avoid using the coprocessor supergraph response:
# do not use this stage in your coprocessor configuration
coprocessor:
supergraph:
response:
Or you can disable defer and subscriptions support:
# disable defer and subscriptions:
supergraph:
defer_support: false # enabled by default
subscription:
enabled: false # disabled by default
and continue to use the coprocessor supergraph response.
References
https://github.com/apollographql/router/issues/4013
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "apollo-router"
},
"ranges": [
{
"events": [
{
"introduced": "1.31.0"
},
{
"fixed": "1.33.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-45812"
],
"database_specific": {
"cwe_ids": [
"CWE-703",
"CWE-754"
],
"github_reviewed": true,
"github_reviewed_at": "2023-10-19T16:08:10Z",
"nvd_published_at": "2023-10-18T22:15:09Z",
"severity": "HIGH"
},
"details": "### Impact\nThe Apollo Router is a configurable, high-performance graph router written in Rust to run a federated supergraph that uses Apollo Federation. Affected versions are subject to a Denial-of-Service (DoS) type vulnerability which causes the Router to panic and terminate when a multi-part response is sent. When users send queries to the router that uses the `@defer` or Subscriptions, the Router will panic.\n \nTo be vulnerable, users of Router must have a coprocessor with `coprocessor.supergraph.response` configured in their `router.yaml` and also to support either `@defer` or Subscriptions. \n\n### Patches\nRouter version 1.33.0 has a fix for this vulnerability. https://github.com/apollographql/router/pull/4014 fixes the issue. \n\n### Workarounds\nFor affected versions, avoid using the coprocessor supergraph response:\n```yml\n# do not use this stage in your coprocessor configuration\ncoprocessor:\n supergraph:\n response:\n``` \n\nOr you can disable defer and subscriptions support:\n```yml\n# disable defer and subscriptions:\nsupergraph:\n defer_support: false # enabled by default\nsubscription:\n enabled: false # disabled by default\n```\nand continue to use the coprocessor supergraph response.\n### References\nhttps://github.com/apollographql/router/issues/4013\n",
"id": "GHSA-r344-xw3p-2frj",
"modified": "2023-10-19T16:08:10Z",
"published": "2023-10-19T16:08:10Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/apollographql/router/security/advisories/GHSA-r344-xw3p-2frj"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45812"
},
{
"type": "WEB",
"url": "https://github.com/apollographql/router/issues/4013"
},
{
"type": "WEB",
"url": "https://github.com/apollographql/router/pull/4014"
},
{
"type": "WEB",
"url": "https://github.com/apollographql/router/commit/b917b8c117b46a2d508428c0856f4927dfcfc341"
},
{
"type": "PACKAGE",
"url": "https://github.com/apollographql/router"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Apollo Router vulnerable to Improper Check or Handling of Exceptional Conditions"
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.