CVE-2023-28104
published 2023-03-16CVE-2023-28104: silverstripe/graphql Denial of Service vulnerability `silverstripe/graphql` serves Silverstripe data as GraphQL representations. In versions 4.2.2 and 4.1.1…
high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
1.05%
60.1th percentile
silverstripe/graphql Denial of Service vulnerability
`silverstripe/graphql` serves Silverstripe data as GraphQL representations. In versions 4.2.2 and 4.1.1, an attacker could use a specially crafted graphql query to execute a denial of service attack against a website which has a publicly exposed graphql endpoint. This mostly affects websites with particularly large/complex graphql schemas. Users should upgrade to `silverstripe/graphql` 4.2.3 or 4.1.2 to remedy the vulnerability.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| silverstripe | graphql | >= 4.1.1 < 4.1.2 | 4.1.2 |
| silverstripe | graphql | >= 4.2.2 < 4.2.3 | 4.2.3 |
| silverstripe | silverstripe-graphql | — | — |
| silverstripe | silverstripe-graphql | — | — |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
cvelistv57.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CVEList
silverstripe/graphql Denial of Service vulnerability
cvelistv5·2023-03-16·CVSS 7.5
CVE-2023-28104 [HIGH] CWE-770 silverstripe/graphql Denial of Service vulnerability
silverstripe/graphql Denial of Service vulnerability
`silverstripe/graphql` serves Silverstripe data as GraphQL representations. In versions 4.2.2 and 4.1.1, an attacker could use a specially crafted graphql query to execute a denial of service attack against a website which has a publicly exposed graphql endpoint. This mostly affects websites with particularly large/complex graphql schemas. Users should upgrade to `silverstripe/graphql` 4.2.3 or 4.1.2 to remedy the vulnerability.
GHSA
DDOS attack on graphql endpoints
ghsa·2023-03-16
CVE-2023-28104 [HIGH] CWE-770 DDOS attack on graphql endpoints
DDOS attack on graphql endpoints
An attacker could use a specially crafted graphql query to execute a Distributed Denial of Service attack (DDOS attack) against a website. This mostly affects websites with publicly exposed and particularly large/complex graphql schemas.
If your Silverstripe CMS project does not expose a public facing graphql schema, a user account is required to trigger the DDOS attack. If your site is hosted behind a content delivery network (CDN), such as Imperva or CloudFlare, this will likely further mitigate the risk.
Upgrade to `silverstripe/graphql` 4.2.3 or 4.1.2 or above to remedy the vulnerability.
OSV
DDOS attack on graphql endpoints
osv·2023-03-16
CVE-2023-28104 [HIGH] DDOS attack on graphql endpoints
DDOS attack on graphql endpoints
An attacker could use a specially crafted graphql query to execute a Distributed Denial of Service attack (DDOS attack) against a website. This mostly affects websites with publicly exposed and particularly large/complex graphql schemas.
If your Silverstripe CMS project does not expose a public facing graphql schema, a user account is required to trigger the DDOS attack. If your site is hosted behind a content delivery network (CDN), such as Imperva or CloudFlare, this will likely further mitigate the risk.
Upgrade to `silverstripe/graphql` 4.2.3 or 4.1.2 or above to remedy the vulnerability.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2023-03-16
Published