CVE-2024-32971 (GCVE-0-2024-32971)
Vulnerability from cvelistv5
Published
2024-05-02 06:43
Modified
2024-08-02 02:27
Severity ?
9.0 (Critical) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
CWE
  • CWE-670 - Always-Incorrect Control Flow Implementation
  • CWE-440 - Expected Behavior Violation
Summary
Apollo Router is a configurable, graph router written in Rust to run a federated supergraph that uses Apollo Federation 2. The affected versions of Apollo Router contain a bug that in limited circumstances, could lead to unexpected operations being executed which can result in unintended data or effects. This only affects Router instances configured to use distributed query plan caching. The root cause of this defect is a bug in Apollo Router’s cache retrieval logic: When this defect is present and distributed query planning caching is enabled, asking the Router to execute an operation (whether it is a query, a mutation, or a subscription) may result in an unexpected variation of that operation being executed or the generation of unexpected errors. The issue stems from inadvertently executing a modified version of a previously executed operation, whose query plan is stored in the underlying cache (specifically, Redis). Depending on the type of the operation, the result may vary. For a query, results may be fetched that don’t match what was requested (e.g., rather than running `fetchUsers(type: ENTERPRISE)` the Router may run `fetchUsers(type: TRIAL)`. For a mutation, this may result in incorrect mutations being sent to underlying subgraph servers (e.g., rather than sending `deleteUser(id: 10)` to a subgraph, the Router may run `deleteUser(id: 12)`. Users who are using distributed query plan caching, are advised to either upgrade to version 1.45.1 or above or downgrade to version 1.43.2 of the Apollo Router. Apollo Router versions 1.44.0 or 1.45.0 are not recommended for use and have been withdrawn. Users unable to upgrade can disable distributed query plan caching to mitigate this issue.
References
Impacted products
Vendor Product Version
apollographql router Version: >=1.44.0, <1.45.1
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:apollographql:apollo_router:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "apollo_router",
            "vendor": "apollographql",
            "versions": [
              {
                "lessThan": "1.45.1",
                "status": "affected",
                "version": "1.44.0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-32971",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-07-03T15:09:53.762624Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-07-03T20:56:05.085Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T02:27:52.865Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "https://github.com/apollographql/router/security/advisories/GHSA-q9p4-hw9m-fj2v",
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/apollographql/router/security/advisories/GHSA-q9p4-hw9m-fj2v"
          },
          {
            "name": "https://github.com/apollographql/router/commit/ff9f666598cd17661880fe7fc6e9c9611316e529",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/apollographql/router/commit/ff9f666598cd17661880fe7fc6e9c9611316e529"
          },
          {
            "name": "https://github.com/apollographql/router/releases/tag/v1.45.1",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/apollographql/router/releases/tag/v1.45.1"
          },
          {
            "name": "https://www.apollographql.com/docs/router/configuration/distributed-caching/#distributed-query-plan-caching",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.apollographql.com/docs/router/configuration/distributed-caching/#distributed-query-plan-caching"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "router",
          "vendor": "apollographql",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e=1.44.0, \u003c1.45.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Apollo Router is a configurable, graph router written in Rust to run a federated supergraph that uses Apollo Federation 2. The affected versions of Apollo Router contain a bug that in limited circumstances, could lead to unexpected operations being executed which can result in unintended data or effects. This only affects Router instances configured to use distributed query plan caching. The root cause of this defect is a bug in Apollo Router\u2019s cache retrieval logic: When this defect is present and distributed query planning caching is enabled, asking the Router to execute an operation (whether it is a query, a mutation, or a subscription) may result in an unexpected variation of that operation being executed or the generation of unexpected errors. The issue stems from inadvertently executing a modified version of a previously executed operation, whose query plan is stored in the underlying cache (specifically, Redis). Depending on the type of the operation, the result may vary. For a query, results may be fetched that don\u2019t match what was requested (e.g., rather than running `fetchUsers(type: ENTERPRISE)` the Router may run `fetchUsers(type: TRIAL)`. For a mutation, this may result in incorrect mutations being sent to underlying subgraph servers (e.g., rather than sending `deleteUser(id: 10)` to a subgraph, the Router may run `deleteUser(id: 12)`. Users who are using distributed query plan caching, are advised to either upgrade to version 1.45.1 or above or downgrade to version 1.43.2 of the Apollo Router. Apollo Router versions 1.44.0 or 1.45.0 are not recommended for use and have been withdrawn. Users unable to upgrade can disable distributed query plan caching to mitigate this issue."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.1,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-670",
              "description": "CWE-670: Always-Incorrect Control Flow Implementation",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-440",
              "description": "CWE-440: Expected Behavior Violation",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-05-02T06:43:27.646Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/apollographql/router/security/advisories/GHSA-q9p4-hw9m-fj2v",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/apollographql/router/security/advisories/GHSA-q9p4-hw9m-fj2v"
        },
        {
          "name": "https://github.com/apollographql/router/commit/ff9f666598cd17661880fe7fc6e9c9611316e529",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/apollographql/router/commit/ff9f666598cd17661880fe7fc6e9c9611316e529"
        },
        {
          "name": "https://github.com/apollographql/router/releases/tag/v1.45.1",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/apollographql/router/releases/tag/v1.45.1"
        },
        {
          "name": "https://www.apollographql.com/docs/router/configuration/distributed-caching/#distributed-query-plan-caching",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.apollographql.com/docs/router/configuration/distributed-caching/#distributed-query-plan-caching"
        }
      ],
      "source": {
        "advisory": "GHSA-q9p4-hw9m-fj2v",
        "discovery": "UNKNOWN"
      },
      "title": "Defect in query plan cache may cause incorrect operations to be executed in Apollo Router"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2024-32971",
    "datePublished": "2024-05-02T06:43:27.646Z",
    "dateReserved": "2024-04-22T15:14:59.165Z",
    "dateUpdated": "2024-08-02T02:27:52.865Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://github.com/apollographql/router/security/advisories/GHSA-q9p4-hw9m-fj2v\", \"name\": \"https://github.com/apollographql/router/security/advisories/GHSA-q9p4-hw9m-fj2v\", \"tags\": [\"x_refsource_CONFIRM\", \"x_transferred\"]}, {\"url\": \"https://github.com/apollographql/router/commit/ff9f666598cd17661880fe7fc6e9c9611316e529\", \"name\": \"https://github.com/apollographql/router/commit/ff9f666598cd17661880fe7fc6e9c9611316e529\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://github.com/apollographql/router/releases/tag/v1.45.1\", \"name\": \"https://github.com/apollographql/router/releases/tag/v1.45.1\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://www.apollographql.com/docs/router/configuration/distributed-caching/#distributed-query-plan-caching\", \"name\": \"https://www.apollographql.com/docs/router/configuration/distributed-caching/#distributed-query-plan-caching\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T02:27:52.865Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-32971\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-07-03T15:09:53.762624Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:apollographql:apollo_router:*:*:*:*:*:*:*:*\"], \"vendor\": \"apollographql\", \"product\": \"apollo_router\", \"versions\": [{\"status\": \"affected\", \"version\": \"1.44.0\", \"lessThan\": \"1.45.1\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unknown\"}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-07-03T15:12:52.314Z\"}}], \"cna\": {\"title\": \"Defect in query plan cache may cause incorrect operations to be executed in Apollo Router\", \"source\": {\"advisory\": \"GHSA-q9p4-hw9m-fj2v\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 9.1, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"apollographql\", \"product\": \"router\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e=1.44.0, \u003c1.45.1\"}]}], \"references\": [{\"url\": \"https://github.com/apollographql/router/security/advisories/GHSA-q9p4-hw9m-fj2v\", \"name\": \"https://github.com/apollographql/router/security/advisories/GHSA-q9p4-hw9m-fj2v\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/apollographql/router/commit/ff9f666598cd17661880fe7fc6e9c9611316e529\", \"name\": \"https://github.com/apollographql/router/commit/ff9f666598cd17661880fe7fc6e9c9611316e529\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/apollographql/router/releases/tag/v1.45.1\", \"name\": \"https://github.com/apollographql/router/releases/tag/v1.45.1\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://www.apollographql.com/docs/router/configuration/distributed-caching/#distributed-query-plan-caching\", \"name\": \"https://www.apollographql.com/docs/router/configuration/distributed-caching/#distributed-query-plan-caching\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Apollo Router is a configurable, graph router written in Rust to run a federated supergraph that uses Apollo Federation 2. The affected versions of Apollo Router contain a bug that in limited circumstances, could lead to unexpected operations being executed which can result in unintended data or effects. This only affects Router instances configured to use distributed query plan caching. The root cause of this defect is a bug in Apollo Router\\u2019s cache retrieval logic: When this defect is present and distributed query planning caching is enabled, asking the Router to execute an operation (whether it is a query, a mutation, or a subscription) may result in an unexpected variation of that operation being executed or the generation of unexpected errors. The issue stems from inadvertently executing a modified version of a previously executed operation, whose query plan is stored in the underlying cache (specifically, Redis). Depending on the type of the operation, the result may vary. For a query, results may be fetched that don\\u2019t match what was requested (e.g., rather than running `fetchUsers(type: ENTERPRISE)` the Router may run `fetchUsers(type: TRIAL)`. For a mutation, this may result in incorrect mutations being sent to underlying subgraph servers (e.g., rather than sending `deleteUser(id: 10)` to a subgraph, the Router may run `deleteUser(id: 12)`. Users who are using distributed query plan caching, are advised to either upgrade to version 1.45.1 or above or downgrade to version 1.43.2 of the Apollo Router. Apollo Router versions 1.44.0 or 1.45.0 are not recommended for use and have been withdrawn. Users unable to upgrade can disable distributed query plan caching to mitigate this issue.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-670\", \"description\": \"CWE-670: Always-Incorrect Control Flow Implementation\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-440\", \"description\": \"CWE-440: Expected Behavior Violation\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2024-05-02T06:43:27.646Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-32971\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-08-02T02:27:52.865Z\", \"dateReserved\": \"2024-04-22T15:14:59.165Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2024-05-02T06:43:27.646Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.