Vulnerability-Lookup

CVE-2024-32971 (GCVE-0-2024-32971)

Vulnerability from cvelistv5 – Published: 2024-05-02 06:43 – Updated: 2024-08-02 02:27

Title

Defect in query plan cache may cause incorrect operations to be executed in Apollo Router

Summary

Apollo Router is a configurable, graph router written in Rust to run a federated supergraph that uses Apollo Federation 2. The affected versions of Apollo Router contain a bug that in limited circumstances, could lead to unexpected operations being executed which can result in unintended data or effects. This only affects Router instances configured to use distributed query plan caching. The root cause of this defect is a bug in Apollo Router’s cache retrieval logic: When this defect is present and distributed query planning caching is enabled, asking the Router to execute an operation (whether it is a query, a mutation, or a subscription) may result in an unexpected variation of that operation being executed or the generation of unexpected errors. The issue stems from inadvertently executing a modified version of a previously executed operation, whose query plan is stored in the underlying cache (specifically, Redis). Depending on the type of the operation, the result may vary. For a query, results may be fetched that don’t match what was requested (e.g., rather than running `fetchUsers(type: ENTERPRISE)` the Router may run `fetchUsers(type: TRIAL)`. For a mutation, this may result in incorrect mutations being sent to underlying subgraph servers (e.g., rather than sending `deleteUser(id: 10)` to a subgraph, the Router may run `deleteUser(id: 12)`. Users who are using distributed query plan caching, are advised to either upgrade to version 1.45.1 or above or downgrade to version 1.43.2 of the Apollo Router. Apollo Router versions 1.44.0 or 1.45.0 are not recommended for use and have been withdrawn. Users unable to upgrade can disable distributed query plan caching to mitigate this issue.

Severity ?

9.1 (Critical)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

CWE

CWE-670 - Always-Incorrect Control Flow Implementation
CWE-440 - Expected Behavior Violation

Assigner

GitHub_M

References

URL

Tags

	https://github.com/apollographql/router/security/…	x_refsource_CONFIRM
	https://github.com/apollographql/router/commit/ff…	x_refsource_MISC
	https://github.com/apollographql/router/releases/…	x_refsource_MISC
	https://www.apollographql.com/docs/router/configu…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	apollographql	router	Affected: >=1.44.0, <1.45.1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:apollographql:apollo_router:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "apollo_router",
            "vendor": "apollographql",
            "versions": [
              {
                "lessThan": "1.45.1",
                "status": "affected",
                "version": "1.44.0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-32971",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-07-03T15:09:53.762624Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-07-03T20:56:05.085Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T02:27:52.865Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "https://github.com/apollographql/router/security/advisories/GHSA-q9p4-hw9m-fj2v",
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/apollographql/router/security/advisories/GHSA-q9p4-hw9m-fj2v"
          },
          {
            "name": "https://github.com/apollographql/router/commit/ff9f666598cd17661880fe7fc6e9c9611316e529",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/apollographql/router/commit/ff9f666598cd17661880fe7fc6e9c9611316e529"
          },
          {
            "name": "https://github.com/apollographql/router/releases/tag/v1.45.1",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/apollographql/router/releases/tag/v1.45.1"
          },
          {
            "name": "https://www.apollographql.com/docs/router/configuration/distributed-caching/#distributed-query-plan-caching",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.apollographql.com/docs/router/configuration/distributed-caching/#distributed-query-plan-caching"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "router",
          "vendor": "apollographql",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e=1.44.0, \u003c1.45.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Apollo Router is a configurable, graph router written in Rust to run a federated supergraph that uses Apollo Federation 2. The affected versions of Apollo Router contain a bug that in limited circumstances, could lead to unexpected operations being executed which can result in unintended data or effects. This only affects Router instances configured to use distributed query plan caching. The root cause of this defect is a bug in Apollo Router\u2019s cache retrieval logic: When this defect is present and distributed query planning caching is enabled, asking the Router to execute an operation (whether it is a query, a mutation, or a subscription) may result in an unexpected variation of that operation being executed or the generation of unexpected errors. The issue stems from inadvertently executing a modified version of a previously executed operation, whose query plan is stored in the underlying cache (specifically, Redis). Depending on the type of the operation, the result may vary. For a query, results may be fetched that don\u2019t match what was requested (e.g., rather than running `fetchUsers(type: ENTERPRISE)` the Router may run `fetchUsers(type: TRIAL)`. For a mutation, this may result in incorrect mutations being sent to underlying subgraph servers (e.g., rather than sending `deleteUser(id: 10)` to a subgraph, the Router may run `deleteUser(id: 12)`. Users who are using distributed query plan caching, are advised to either upgrade to version 1.45.1 or above or downgrade to version 1.43.2 of the Apollo Router. Apollo Router versions 1.44.0 or 1.45.0 are not recommended for use and have been withdrawn. Users unable to upgrade can disable distributed query plan caching to mitigate this issue."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.1,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-670",
              "description": "CWE-670: Always-Incorrect Control Flow Implementation",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-440",
              "description": "CWE-440: Expected Behavior Violation",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-05-02T06:43:27.646Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/apollographql/router/security/advisories/GHSA-q9p4-hw9m-fj2v",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/apollographql/router/security/advisories/GHSA-q9p4-hw9m-fj2v"
        },
        {
          "name": "https://github.com/apollographql/router/commit/ff9f666598cd17661880fe7fc6e9c9611316e529",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/apollographql/router/commit/ff9f666598cd17661880fe7fc6e9c9611316e529"
        },
        {
          "name": "https://github.com/apollographql/router/releases/tag/v1.45.1",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/apollographql/router/releases/tag/v1.45.1"
        },
        {
          "name": "https://www.apollographql.com/docs/router/configuration/distributed-caching/#distributed-query-plan-caching",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.apollographql.com/docs/router/configuration/distributed-caching/#distributed-query-plan-caching"
        }
      ],
      "source": {
        "advisory": "GHSA-q9p4-hw9m-fj2v",
        "discovery": "UNKNOWN"
      },
      "title": "Defect in query plan cache may cause incorrect operations to be executed in Apollo Router"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2024-32971",
    "datePublished": "2024-05-02T06:43:27.646Z",
    "dateReserved": "2024-04-22T15:14:59.165Z",
    "dateUpdated": "2024-08-02T02:27:52.865Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://github.com/apollographql/router/security/advisories/GHSA-q9p4-hw9m-fj2v\", \"name\": \"https://github.com/apollographql/router/security/advisories/GHSA-q9p4-hw9m-fj2v\", \"tags\": [\"x_refsource_CONFIRM\", \"x_transferred\"]}, {\"url\": \"https://github.com/apollographql/router/commit/ff9f666598cd17661880fe7fc6e9c9611316e529\", \"name\": \"https://github.com/apollographql/router/commit/ff9f666598cd17661880fe7fc6e9c9611316e529\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://github.com/apollographql/router/releases/tag/v1.45.1\", \"name\": \"https://github.com/apollographql/router/releases/tag/v1.45.1\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://www.apollographql.com/docs/router/configuration/distributed-caching/#distributed-query-plan-caching\", \"name\": \"https://www.apollographql.com/docs/router/configuration/distributed-caching/#distributed-query-plan-caching\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T02:27:52.865Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-32971\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-07-03T15:09:53.762624Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:apollographql:apollo_router:*:*:*:*:*:*:*:*\"], \"vendor\": \"apollographql\", \"product\": \"apollo_router\", \"versions\": [{\"status\": \"affected\", \"version\": \"1.44.0\", \"lessThan\": \"1.45.1\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unknown\"}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-07-03T15:12:52.314Z\"}}], \"cna\": {\"title\": \"Defect in query plan cache may cause incorrect operations to be executed in Apollo Router\", \"source\": {\"advisory\": \"GHSA-q9p4-hw9m-fj2v\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 9.1, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"apollographql\", \"product\": \"router\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e=1.44.0, \u003c1.45.1\"}]}], \"references\": [{\"url\": \"https://github.com/apollographql/router/security/advisories/GHSA-q9p4-hw9m-fj2v\", \"name\": \"https://github.com/apollographql/router/security/advisories/GHSA-q9p4-hw9m-fj2v\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/apollographql/router/commit/ff9f666598cd17661880fe7fc6e9c9611316e529\", \"name\": \"https://github.com/apollographql/router/commit/ff9f666598cd17661880fe7fc6e9c9611316e529\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/apollographql/router/releases/tag/v1.45.1\", \"name\": \"https://github.com/apollographql/router/releases/tag/v1.45.1\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://www.apollographql.com/docs/router/configuration/distributed-caching/#distributed-query-plan-caching\", \"name\": \"https://www.apollographql.com/docs/router/configuration/distributed-caching/#distributed-query-plan-caching\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Apollo Router is a configurable, graph router written in Rust to run a federated supergraph that uses Apollo Federation 2. The affected versions of Apollo Router contain a bug that in limited circumstances, could lead to unexpected operations being executed which can result in unintended data or effects. This only affects Router instances configured to use distributed query plan caching. The root cause of this defect is a bug in Apollo Router\\u2019s cache retrieval logic: When this defect is present and distributed query planning caching is enabled, asking the Router to execute an operation (whether it is a query, a mutation, or a subscription) may result in an unexpected variation of that operation being executed or the generation of unexpected errors. The issue stems from inadvertently executing a modified version of a previously executed operation, whose query plan is stored in the underlying cache (specifically, Redis). Depending on the type of the operation, the result may vary. For a query, results may be fetched that don\\u2019t match what was requested (e.g., rather than running `fetchUsers(type: ENTERPRISE)` the Router may run `fetchUsers(type: TRIAL)`. For a mutation, this may result in incorrect mutations being sent to underlying subgraph servers (e.g., rather than sending `deleteUser(id: 10)` to a subgraph, the Router may run `deleteUser(id: 12)`. Users who are using distributed query plan caching, are advised to either upgrade to version 1.45.1 or above or downgrade to version 1.43.2 of the Apollo Router. Apollo Router versions 1.44.0 or 1.45.0 are not recommended for use and have been withdrawn. Users unable to upgrade can disable distributed query plan caching to mitigate this issue.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-670\", \"description\": \"CWE-670: Always-Incorrect Control Flow Implementation\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-440\", \"description\": \"CWE-440: Expected Behavior Violation\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2024-05-02T06:43:27.646Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-32971\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-08-02T02:27:52.865Z\", \"dateReserved\": \"2024-04-22T15:14:59.165Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2024-05-02T06:43:27.646Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

GHSA-Q9P4-HW9M-FJ2V

Vulnerability from github – Published: 2024-05-02 08:20 – Updated: 2024-05-02 19:35

Summary

Apollo Router vulnerable to Critical Regression In Query Plan Cache

Details

Impact

Any instance of Apollo Router 1.44.0 or 1.45.0 that is using Distributed Query Plan Caching is impacted. These versions were released on 2024-04-12 and 2024-04-22 respectively.

The affected versions of Apollo Router contain a bug that could lead to unexpected operations being executed, which can result in unintended data or effects. This only affects Router instances configured to use distributed query plan caching. Router versions other than the ones listed above, and all Router deployments that are not using distributed query plan caching, are unaffected by this defect.

If you are using the affected versions, you can check your router’s configuration YAML to verify if you are impacted:

supergraph:
  query_planning:
    cache:
      # Look for this config below
      redis:
        urls: ["redis://..."]

A full reference on the Distributed Query Plan Caching feature is available here.

Impact detail

The root cause of this defect is a bug in Apollo Router’s cache retrieval logic: When this defect is present and distributed query planning caching is enabled, asking the Router to execute an operation (whether it is a query, a mutation, or a subscription) may result in an unexpected variation of that operation being executed or the generation of unexpected errors.

The issue stems from inadvertently executing a modified version of a previously executed operation, whose query plan is stored in the underlying cache (specifically, Redis). Depending on the type of the operation, the result may vary. For a query, results may be fetched that don’t match what was requested (e.g., rather than running fetchUsers(type: ENTERPRISE) the Router may run fetchUsers(type: TRIAL). For a mutation, this may result in incorrect mutations being sent to underlying subgraph servers (e.g., rather than sending deleteUser(id: 10) to a subgraph, the Router may run deleteUser(id: 12).

Patches

Apollo Router 1.45.1

If you are using distributed query plan caching, please either upgrade to version 1.45.1 or above or downgrade to version 1.43.2 of the Apollo Router. We do not recommend Apollo Router versions 1.44.0 or 1.45.0 for use and have withdrawn these releases. If you use impacted versions in production, we recommend that you migrate away immediately by redeploying to an unaffected Router version. For non-production use cases, we recommend you migrate at your earliest convenience.

Workarounds

If you cannot upgrade or downgrade, you can disable distributed query plan caching by removing the supergraph.query_planning.cache.redis.urls configuration. Please note that when distributed query plan caching is disabled, each Router instance will maintain its own in-memory query plan cache. This may increase resource utilization for each Router instance and could increase cold-start times as each Router instance builds its query plan cache.

References

Apollo Router 1.45.1 Release Notes

Severity ?

9.0 (Critical)


                  
                    CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "apollo-router"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.44.0"
            },
            {
              "fixed": "1.45.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-32971"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-440"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-05-02T08:20:00Z",
    "nvd_published_at": "2024-05-02T07:15:21Z",
    "severity": "CRITICAL"
  },
  "details": "### Impact\nAny instance of Apollo Router 1.44.0 or 1.45.0 that is using Distributed Query Plan Caching is impacted. These versions were released on 2024-04-12 and 2024-04-22 respectively.\n\nThe affected versions of Apollo Router contain a bug that could lead to unexpected operations being executed, which can result in unintended data or effects. This only affects Router instances configured to use distributed query plan caching. Router versions other than the ones listed above, and all Router deployments that are not using distributed query plan caching, are unaffected by this defect.\n\nIf you are using the affected versions, you can check your router\u2019s configuration YAML to verify if you are impacted:\n\n\n```yaml\nsupergraph:\n  query_planning:\n    cache:\n      # Look for this config below\n      redis:\n        urls: [\"redis://...\"]\n```\nA full reference on the[ Distributed Query Plan Caching feature is available here.](https://www.apollographql.com/docs/router/configuration/distributed-caching/#distributed-query-plan-caching)\n\n### Impact detail\nThe root cause of this defect is a bug in Apollo Router\u2019s cache retrieval logic: When this defect is present and distributed query planning caching is enabled, asking the Router to execute an operation (whether it is a query, a mutation, or a subscription) may result in an unexpected variation of that operation being executed or the generation of unexpected errors.  \n\nThe issue stems from inadvertently executing a modified version of a previously executed operation, whose query plan is stored in the underlying cache (specifically, Redis). Depending on the type of the operation, the result may vary.  For a query, results may be fetched that don\u2019t match what was requested (e.g., rather than running `fetchUsers(type: ENTERPRISE)` the Router may run `fetchUsers(type: TRIAL)`.  For a mutation, this may result in incorrect mutations being sent to underlying subgraph servers (e.g., rather than sending `deleteUser(id: 10)` to a subgraph, the Router may run `deleteUser(id: 12)`.\n\n### Patches\nApollo Router 1.45.1\n\nIf you are using distributed query plan caching, please either upgrade to version 1.45.1 or above or downgrade to version 1.43.2 of the Apollo Router. We do not recommend Apollo Router versions 1.44.0 or 1.45.0 for use and have withdrawn these releases. If you use impacted versions in production, we recommend that you migrate away immediately by redeploying to an unaffected Router version. For non-production use cases, we recommend you migrate at your earliest convenience.\n\n### Workarounds\nIf you cannot upgrade or downgrade, you can disable distributed query plan caching by removing the `supergraph.query_planning.cache.redis.urls` configuration. Please note that when distributed query plan caching is disabled, each Router instance will maintain its own in-memory query plan cache. This may increase resource utilization for each Router instance and could increase cold-start times as each Router instance builds its query plan cache.\n\n### References\n[Apollo Router 1.45.1 Release Notes](https://github.com/apollographql/router/releases/tag/v1.45.1)",
  "id": "GHSA-q9p4-hw9m-fj2v",
  "modified": "2024-05-02T19:35:51Z",
  "published": "2024-05-02T08:20:00Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/apollographql/router/security/advisories/GHSA-q9p4-hw9m-fj2v"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32971"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apollographql/router/commit/ff9f666598cd17661880fe7fc6e9c9611316e529"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/apollographql/router"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apollographql/router/releases/tag/v1.45.1"
    },
    {
      "type": "WEB",
      "url": "https://www.apollographql.com/docs/router/configuration/distributed-caching/#distributed-query-plan-caching"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Apollo Router vulnerable to Critical Regression In Query Plan Cache"
}

GSD-2024-32971

Vulnerability from gsd - Updated: 2024-04-23 05:02

Details

** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.

Aliases

CVE-2024-32971

JSON

To clipboard

{
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2024-32971"
      ],
      "id": "GSD-2024-32971",
      "modified": "2024-04-23T05:02:10.453071Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "cve@mitre.org",
        "ID": "CVE-2024-32971",
        "STATE": "RESERVED"
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
          }
        ]
      }
    }
  }
}

FKIE_CVE-2024-32971

Vulnerability from fkie_nvd - Published: 2024-05-02 07:15 - Updated: 2024-11-21 09:16

Severity ?

9.0 (Critical) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/apollographql/router/commit/ff9f666598cd17661880fe7fc6e9c9611316e529
	security-advisories@github.com	https://github.com/apollographql/router/releases/tag/v1.45.1
	security-advisories@github.com	https://github.com/apollographql/router/security/advisories/GHSA-q9p4-hw9m-fj2v
	security-advisories@github.com	https://www.apollographql.com/docs/router/configuration/distributed-caching/#distributed-query-plan-caching
	af854a3a-2127-422b-91ae-364da2661108	https://github.com/apollographql/router/commit/ff9f666598cd17661880fe7fc6e9c9611316e529
	af854a3a-2127-422b-91ae-364da2661108	https://github.com/apollographql/router/releases/tag/v1.45.1
	af854a3a-2127-422b-91ae-364da2661108	https://github.com/apollographql/router/security/advisories/GHSA-q9p4-hw9m-fj2v
	af854a3a-2127-422b-91ae-364da2661108	https://www.apollographql.com/docs/router/configuration/distributed-caching/#distributed-query-plan-caching

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Apollo Router is a configurable, graph router written in Rust to run a federated supergraph that uses Apollo Federation 2. The affected versions of Apollo Router contain a bug that in limited circumstances, could lead to unexpected operations being executed which can result in unintended data or effects. This only affects Router instances configured to use distributed query plan caching. The root cause of this defect is a bug in Apollo Router\u2019s cache retrieval logic: When this defect is present and distributed query planning caching is enabled, asking the Router to execute an operation (whether it is a query, a mutation, or a subscription) may result in an unexpected variation of that operation being executed or the generation of unexpected errors. The issue stems from inadvertently executing a modified version of a previously executed operation, whose query plan is stored in the underlying cache (specifically, Redis). Depending on the type of the operation, the result may vary. For a query, results may be fetched that don\u2019t match what was requested (e.g., rather than running `fetchUsers(type: ENTERPRISE)` the Router may run `fetchUsers(type: TRIAL)`. For a mutation, this may result in incorrect mutations being sent to underlying subgraph servers (e.g., rather than sending `deleteUser(id: 10)` to a subgraph, the Router may run `deleteUser(id: 12)`. Users who are using distributed query plan caching, are advised to either upgrade to version 1.45.1 or above or downgrade to version 1.43.2 of the Apollo Router. Apollo Router versions 1.44.0 or 1.45.0 are not recommended for use and have been withdrawn. Users unable to upgrade can disable distributed query plan caching to mitigate this issue."
    },
    {
      "lang": "es",
      "value": "Apollo Router es un router de gr\u00e1ficos configurable escrito en Rust para ejecutar un supergrafo federado que utiliza Apollo Federation 2. Las versiones afectadas de Apollo Router contienen un error que, en circunstancias limitadas, podr\u00eda provocar la ejecuci\u00f3n de operaciones inesperadas que pueden generar datos no deseados o efectos. Esto solo afecta a las instancias del router configuradas para utilizar el almacenamiento en cach\u00e9 del plan de consultas distribuidas. La causa principal de este defecto es un error en la l\u00f3gica de recuperaci\u00f3n de cach\u00e9 del router Apollo: cuando este defecto est\u00e1 presente y el almacenamiento en cach\u00e9 de planificaci\u00f3n de consultas distribuidas est\u00e1 habilitado, se solicita al router que ejecute una operaci\u00f3n (ya sea una consulta, una mutaci\u00f3n o una suscripci\u00f3n). puede resultar en una variaci\u00f3n inesperada de esa operaci\u00f3n que se ejecuta o en la generaci\u00f3n de errores inesperados. El problema surge de la ejecuci\u00f3n inadvertida de una versi\u00f3n modificada de una operaci\u00f3n ejecutada previamente, cuyo plan de consulta se almacena en la memoria cach\u00e9 subyacente (espec\u00edficamente, Redis). Dependiendo del tipo de operaci\u00f3n, el resultado puede variar. Para una consulta, es posible que se obtengan resultados que no coincidan con lo solicitado (por ejemplo, en lugar de ejecutar `fetchUsers(type: ENTERPRISE)`, el router puede ejecutar `fetchUsers(type: TRIAL)`. Para una mutaci\u00f3n, esto puede resultar en mutaciones incorrectas que se env\u00edan a servidores de subgrafos subyacentes (por ejemplo, en lugar de enviar `deleteUser(id: 10)` a un subgrafo, el router puede ejecutar `deleteUser(id: 12)`. Se recomienda a los usuarios que utilicen el almacenamiento en cach\u00e9 de planes de consulta distribuidos que actualicen a la versi\u00f3n 1.45.1 o superior, o bien que reduzcan a la versi\u00f3n 1.43.2 del router Apollo. No se recomienda el uso de las versiones 1.44.0 o 1.45.0 del router Apollo y se han retirado. Los usuarios que no puedan actualizar pueden desactivar el almacenamiento en cach\u00e9 del plan de consultas distribuidas para mitigar este problema."
    }
  ],
  "id": "CVE-2024-32971",
  "lastModified": "2024-11-21T09:16:08.317",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.0,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.2,
        "impactScore": 6.0,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2024-05-02T07:15:21.733",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/apollographql/router/commit/ff9f666598cd17661880fe7fc6e9c9611316e529"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/apollographql/router/releases/tag/v1.45.1"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/apollographql/router/security/advisories/GHSA-q9p4-hw9m-fj2v"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://www.apollographql.com/docs/router/configuration/distributed-caching/#distributed-query-plan-caching"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://github.com/apollographql/router/commit/ff9f666598cd17661880fe7fc6e9c9611316e529"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://github.com/apollographql/router/releases/tag/v1.45.1"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://github.com/apollographql/router/security/advisories/GHSA-q9p4-hw9m-fj2v"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://www.apollographql.com/docs/router/configuration/distributed-caching/#distributed-query-plan-caching"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-440"
        },
        {
          "lang": "en",
          "value": "CWE-670"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2024-32971 (GCVE-0-2024-32971)

GHSA-Q9P4-HW9M-FJ2V

Impact

Impact detail

Patches

Workarounds

References

GSD-2024-32971

FKIE_CVE-2024-32971

Tags

Sightings

Nomenclature