A vulnerability, which was classified as critical, has been found in SilverStripe graphql up to 4.1.1/4.2.2 (Content Management System). This issue affects some unknown processing of the component Query Handler. The manipulation with an unknown input leads to a allocation of resources vulnerability. Using CWE to declare the problem leads to CWE-770. The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor. Impacted is availability. The summary by CVE is:

`silverstripe/graphql` serves Silverstripe data as GraphQL representations. In versions 4.2.2 and 4.1.1, an attacker could use a specially crafted graphql query to execute a denial of service attack against a website which has a publicly exposed graphql endpoint. This mostly affects websites with particularly large/complex graphql schemas. Users should upgrade to `silverstripe/graphql` 4.2.3 or 4.1.2 to remedy the vulnerability.

The weakness was shared 03/16/2023 as GHSA-67g8-c724-8mp3. The advisory is shared at github.com. The identification of this vulnerability is CVE-2023-28104 since 03/10/2023. Neither technical details nor an exploit are publicly available. MITRE ATT&CK project uses the attack technique T1499 for this issue.

Upgrading to version 4.1.2 or 4.2.3 eliminates this vulnerability. The upgrade is hosted for download at github.com. Applying a patch is able to eliminate this problem. The bugfix is ready for download at github.com. The best possible mitigation is suggested to be upgrading to the latest version.

Productinfo

Type

• Content Management System

Vendor

• SilverStripe

Name

• graphql

Version

• 4.1.0
• 4.1.1
• 4.2.0
• 4.2.1
• 4.2.2

License

• open-source

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion