Apollo-server-core before 2.4.12 is vulnerable to Information Exposure. The package does not properly enforce validation rules when creating subscription servers, which includes a NoInstrospection rule for the Websocket. This leaks the GraphQL schema types, their relations and human-readable names.
WS-2020-0108 - Medium Severity Vulnerability
Vulnerable Library - apollo-server-core-2.13.1.tgz
Core engine for Apollo GraphQL server
Library home page: https://registry.npmjs.org/apollo-server-core/-/apollo-server-core-2.13.1.tgz
Path to dependency file: /tmp/ws-scm/dim-api/package.json
Path to vulnerable library: /tmp/ws-scm/dim-api/node_modules/apollo-server-core/package.json
Dependency Hierarchy: - apollo-server-express-2.13.1.tgz (Root Library) - :x: **apollo-server-core-2.13.1.tgz** (Vulnerable Library)
Found in HEAD commit: 904724717e69016e2029e45be35427c2a0878329
Vulnerability Details
Apollo-server-core before 2.4.12 is vulnerable to Information Exposure. The package does not properly enforce validation rules when creating subscription servers, which includes a NoInstrospection rule for the Websocket. This leaks the GraphQL schema types, their relations and human-readable names.
Publish Date: 2020-06-05
URL: WS-2020-0108
CVSS 3 Score Details (5.4)
Base Score Metrics: - Exploitability Metrics: - Attack Vector: N/A - Attack Complexity: N/A - Privileges Required: N/A - User Interaction: N/A - Scope: N/A - Impact Metrics: - Confidentiality Impact: N/A - Integrity Impact: N/A - Availability Impact: N/A
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://github.com/advisories/GHSA-w42g-7vfc-xf37
Release Date: 2020-06-08
Fix Resolution: apollo-server-core - 2.14.2
Step up your Open Source Security Game with WhiteSource here