CVE-2023-40180

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2023-40180

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-40180.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2023-40180

Aliases

GHSA-v23w-pppm-jh66

Published

2023-10-16T18:05:14Z

Modified

2025-11-04T20:12:07.186688Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Summary

Denial of service vulnerability in silverstripe-graphql via recursive queries

Details

silverstripe-graphql is a package which serves Silverstripe data in GraphQL representations. An attacker could use a recursive graphql query to execute a Distributed Denial of Service attack (DDOS attack) against a website. This mostly affects websites with publicly exposed graphql schemas. If your Silverstripe CMS project does not expose a public facing graphql schema, a user account is required to trigger the DDOS attack. If your site is hosted behind a content delivery network (CDN), such as Imperva or CloudFlare, this may further mitigate the risk. This issue has been addressed in versions 3.8.2, 4.1.3, 4.2.5, 4.3.4, and 5.0.3. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Database specific

{
    "cwe_ids": [
        "CWE-400"
    ]
}

References

Affected packages

Git / github.com/silverstripe/silverstripe-graphql

Affected ranges

Type

GIT

Repo

https://github.com/silverstripe/silverstripe-graphql

Events

Introduced

11970d56f3e57f370359cf9edab4c27e9f766c3c

Fixed

7638a3faf892742e8fa5a2baeb5252133d0e97a5

Database specific

{
    "versions": [
        {
            "introduced": "3.0.0"
        },
        {
            "fixed": "3.8.2"
        }
    ]
}

Type

GIT

Repo

https://github.com/silverstripe/silverstripe-graphql

Events

Introduced

8e66e64953a6675bc7726a2421292cecafb93c1c

Fixed

f6d5976ec4608e51184b0db1ee5b9e9a99d2501c

Database specific

{
    "versions": [
        {
            "introduced": "4.0.0"
        },
        {
            "fixed": "4.1.3"
        }
    ]
}

Type

GIT

Repo

https://github.com/silverstripe/silverstripe-graphql

Events

Introduced

82a2262804432327df5120b821ca9b26e93ed5a1

Fixed

d1f9a0280b5a2e1930663c52fe99aaf444a3bb56

Database specific

{
    "versions": [
        {
            "introduced": "4.2.0"
        },
        {
            "fixed": "4.2.5"
        }
    ]
}

Type

GIT

Repo

https://github.com/silverstripe/silverstripe-graphql

Events

Introduced

5acba87191e184b3bdf3819ee8899db8d096a421

Fixed

442cb5755c534cde009954d583db1948865ec3d6

Database specific

{
    "versions": [
        {
            "introduced": "4.3.0"
        },
        {
            "fixed": "4.3.4"
        }
    ]
}

Type

GIT

Repo

https://github.com/silverstripe/silverstripe-graphql

Events

Introduced

0e020711e0c81f07d1bd03ffcd3fc53f06b40169

Fixed

85faae8eb64828420a41c078a35a3bbb69f29712

Database specific

{
    "versions": [
        {
            "introduced": "5.0.0"
        },
        {
            "fixed": "5.0.3"
        }
    ]
}

Affected versions

2.*

2.0.3

2.0.4

3.*

3.0.0

3.0.1

3.0.2

3.0.3

3.0.4

3.1.0-rc1

3.1.1

3.1.2

3.1.3

3.1.4

3.1.5

3.2.0

3.2.0-alpha1

3.2.0-rc1

3.2.0-rc2

3.2.1

3.2.2

3.2.3

3.2.4

3.3.0

3.3.0-beta1

3.3.0-rc1

3.4.0

3.4.0-beta1

3.4.0-rc1

3.4.1

3.5.0-beta1

3.5.0-rc1

3.5.1

3.6.0

3.6.0-alpha1

3.6.0-alpha2

3.6.0-beta1

3.6.0-rc1

3.7.0

3.7.1

3.7.2

3.8.0

3.8.1

4.*

4.0.0

4.0.1

4.0.2

4.1.0

4.1.0-beta1

4.1.0-rc1

4.1.1

4.1.2

4.1.3

4.2.0

4.2.1

4.2.2

4.2.3

4.2.4

4.2.5

4.3.0

4.3.1

4.3.2

4.3.3

4.3.4

5.*

5.0.0

5.0.1

5.0.2