Django REST framework

Lookup for vulnerabilities affecting packages.

Vulnerability_id VCID-3t8k-6f9c-yue7

Summary

Uncontrolled Resource Consumption
silverstripe-graphql is a package which serves Silverstripe data in GraphQL representations. An attacker could use a recursive graphql query to execute a Distributed Denial of Service attack (DDOS attack) against a website. This mostly affects websites with publicly exposed graphql schemas. If your Silverstripe CMS project does not expose a public facing graphql schema, a user account is required to trigger the DDOS attack. If your site is hosted behind a content delivery network (CDN), such as Imperva or CloudFlare, this may further mitigate the risk. This issue has been addressed in versions 3.8.2, 4.1.3, 4.2.5, 4.3.4, and 5.0.3. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Aliases

alias	CVE-2023-40180

alias	GHSA-v23w-pppm-jh66

Fixed_packages

url	pkg:composer/silverstripe/graphql@3.8.2
purl	pkg:composer/silverstripe/graphql@3.8.2
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/graphql@3.8.2

url	pkg:composer/silverstripe/graphql@4.1.3
purl	pkg:composer/silverstripe/graphql@4.1.3
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/graphql@4.1.3

url	pkg:composer/silverstripe/graphql@4.2.5
purl	pkg:composer/silverstripe/graphql@4.2.5
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/graphql@4.2.5

url	pkg:composer/silverstripe/graphql@4.3.4
purl	pkg:composer/silverstripe/graphql@4.3.4
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/graphql@4.3.4

url	pkg:composer/silverstripe/graphql@5.0.3
purl	pkg:composer/silverstripe/graphql@5.0.3
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/graphql@5.0.3

Affected_packages

url pkg:composer/silverstripe/graphql@3.0.0

purl pkg:composer/silverstripe/graphql@3.0.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-3t8k-6f9c-yue7

vulnerability	VCID-r1eg-dwej-5kau

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/graphql@3.0.0

url pkg:composer/silverstripe/graphql@4.0.0

purl pkg:composer/silverstripe/graphql@4.0.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-3t8k-6f9c-yue7

vulnerability	VCID-fx1q-f6zv-1ka1

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/graphql@4.0.0

url pkg:composer/silverstripe/graphql@4.2.0

purl pkg:composer/silverstripe/graphql@4.2.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-3t8k-6f9c-yue7

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/graphql@4.2.0

url pkg:composer/silverstripe/graphql@4.3.0

purl pkg:composer/silverstripe/graphql@4.3.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-3t8k-6f9c-yue7

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/graphql@4.3.0

url pkg:composer/silverstripe/graphql@5.0.0

purl pkg:composer/silverstripe/graphql@5.0.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-3t8k-6f9c-yue7

vulnerability	VCID-fx1q-f6zv-1ka1

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/silverstripe/graphql@5.0.0

References

reference_url	https://docs.silverstripe.org/en/developer_guides/graphql/security_and_best_practices/recursive_or_complex_queries
reference_id
reference_type
scores
url	https://docs.silverstripe.org/en/developer_guides/graphql/security_and_best_practices/recursive_or_complex_queries

reference_url	https://github.com/silverstripe/silverstripe-graphql/commit/f6d5976ec4608e51184b0db1ee5b9e9a99d2501c
reference_id
reference_type
scores
url	https://github.com/silverstripe/silverstripe-graphql/commit/f6d5976ec4608e51184b0db1ee5b9e9a99d2501c

reference_url	https://github.com/silverstripe/silverstripe-graphql/tree/3.8#recursive-or-complex-queries
reference_id
reference_type
scores
url	https://github.com/silverstripe/silverstripe-graphql/tree/3.8#recursive-or-complex-queries

reference_url	https://nvd.nist.gov/vuln/detail/CVE-2023-40180
reference_id	CVE-2023-40180
reference_type
scores
url	https://nvd.nist.gov/vuln/detail/CVE-2023-40180

reference_url	https://www.silverstripe.org/download/security-releases/CVE-2023-40180
reference_id	CVE-2023-40180
reference_type
scores
url	https://www.silverstripe.org/download/security-releases/CVE-2023-40180

reference_url	https://github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/graphql/CVE-2023-40180.yaml
reference_id	CVE-2023-40180.YAML
reference_type
scores
url	https://github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/graphql/CVE-2023-40180.yaml

reference_url	https://github.com/advisories/GHSA-v23w-pppm-jh66
reference_id	GHSA-v23w-pppm-jh66
reference_type
scores
url	https://github.com/advisories/GHSA-v23w-pppm-jh66

reference_url	https://github.com/silverstripe/silverstripe-graphql/security/advisories/GHSA-v23w-pppm-jh66
reference_id	GHSA-v23w-pppm-jh66
reference_type
scores
url	https://github.com/silverstripe/silverstripe-graphql/security/advisories/GHSA-v23w-pppm-jh66

Weaknesses

cwe_id	1035
name	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
description	Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017.

cwe_id	400
name	Uncontrolled Resource Consumption
description	The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

cwe_id	937
name	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
description	Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013.

Exploits

Severity_range_score null

Exploitability null

Weighted_severity null

Risk_score null

Resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-3t8k-6f9c-yue7

Vulnerability Instance