Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:composer/silverstripe/graphql@3.8.2
Typecomposer
Namespacesilverstripe
Namegraphql
Version3.8.2
Qualifiers
Subpath
Is_vulnerablefalse
Next_non_vulnerable_version4.1.2
Latest_non_vulnerable_version5.1.3
Affected_by_vulnerabilities
Fixing_vulnerabilities
0
url VCID-3t8k-6f9c-yue7
vulnerability_id VCID-3t8k-6f9c-yue7
summary 
Uncontrolled Resource Consumption
silverstripe-graphql is a package which serves Silverstripe data in GraphQL representations. An attacker could use a recursive graphql query to execute a Distributed Denial of Service attack (DDOS attack) against a website. This mostly affects websites with publicly exposed graphql schemas. If your Silverstripe CMS project does not expose a public facing graphql schema, a user account is required to trigger the DDOS attack. If your site is hosted behind a content delivery network (CDN), such as Imperva or CloudFlare, this may further mitigate the risk. This issue has been addressed in versions 3.8.2, 4.1.3, 4.2.5, 4.3.4, and 5.0.3. Users are advised to upgrade. There are no known workarounds for this vulnerability.
references
0
reference_url https://docs.silverstripe.org/en/developer_guides/graphql/security_and_best_practices/recursive_or_complex_queries
reference_id
reference_type
scores
url https://docs.silverstripe.org/en/developer_guides/graphql/security_and_best_practices/recursive_or_complex_queries
1
reference_url https://github.com/silverstripe/silverstripe-graphql/commit/f6d5976ec4608e51184b0db1ee5b9e9a99d2501c
reference_id
reference_type
scores
url https://github.com/silverstripe/silverstripe-graphql/commit/f6d5976ec4608e51184b0db1ee5b9e9a99d2501c
2
reference_url https://github.com/silverstripe/silverstripe-graphql/tree/3.8#recursive-or-complex-queries
reference_id
reference_type
scores
url https://github.com/silverstripe/silverstripe-graphql/tree/3.8#recursive-or-complex-queries
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-40180
reference_id CVE-2023-40180
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2023-40180
4
reference_url https://www.silverstripe.org/download/security-releases/CVE-2023-40180
reference_id CVE-2023-40180
reference_type
scores
url https://www.silverstripe.org/download/security-releases/CVE-2023-40180
5
reference_url https://github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/graphql/CVE-2023-40180.yaml
reference_id CVE-2023-40180.YAML
reference_type
scores
url https://github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/graphql/CVE-2023-40180.yaml
6
reference_url https://github.com/advisories/GHSA-v23w-pppm-jh66
reference_id GHSA-v23w-pppm-jh66
reference_type
scores
url https://github.com/advisories/GHSA-v23w-pppm-jh66
7
reference_url https://github.com/silverstripe/silverstripe-graphql/security/advisories/GHSA-v23w-pppm-jh66
reference_id GHSA-v23w-pppm-jh66
reference_type
scores
url https://github.com/silverstripe/silverstripe-graphql/security/advisories/GHSA-v23w-pppm-jh66
fixed_packages
0
url pkg:composer/silverstripe/graphql@3.8.2
purl pkg:composer/silverstripe/graphql@3.8.2
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/graphql@3.8.2
1
url pkg:composer/silverstripe/graphql@4.1.3
purl pkg:composer/silverstripe/graphql@4.1.3
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/graphql@4.1.3
2
url pkg:composer/silverstripe/graphql@4.2.5
purl pkg:composer/silverstripe/graphql@4.2.5
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/graphql@4.2.5
3
url pkg:composer/silverstripe/graphql@4.3.4
purl pkg:composer/silverstripe/graphql@4.3.4
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/graphql@4.3.4
4
url pkg:composer/silverstripe/graphql@5.0.3
purl pkg:composer/silverstripe/graphql@5.0.3
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/graphql@5.0.3
aliases CVE-2023-40180, GHSA-v23w-pppm-jh66
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-3t8k-6f9c-yue7
Risk_scorenull
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/graphql@3.8.2