WS-2020-0108 (Medium) detected in apollo-server-core-2.13.1.tgz

[mend-bolt-for-github[bot]]

WS-2020-0108 - Medium Severity Vulnerability

Vulnerable Library - apollo-server-core-2.13.1.tgz

Core engine for Apollo GraphQL server

Library home page: https://registry.npmjs.org/apollo-server-core/-/apollo-server-core-2.13.1.tgz

Path to dependency file: /tmp/ws-scm/dim-api/package.json

Path to vulnerable library: /tmp/ws-scm/dim-api/node_modules/apollo-server-core/package.json

Dependency Hierarchy: - apollo-server-express-2.13.1.tgz (Root Library) - :x: **apollo-server-core-2.13.1.tgz** (Vulnerable Library)

Found in HEAD commit: 904724717e69016e2029e45be35427c2a0878329

Vulnerability Details

Apollo-server-core before 2.4.12 is vulnerable to Information Exposure. The package does not properly enforce validation rules when creating subscription servers, which includes a NoInstrospection rule for the Websocket. This leaks the GraphQL schema types, their relations and human-readable names.

Publish Date: 2020-06-05

URL: WS-2020-0108

CVSS 3 Score Details (5.4)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: N/A - Attack Complexity: N/A - Privileges Required: N/A - User Interaction: N/A - Scope: N/A - Impact Metrics: - Confidentiality Impact: N/A - Integrity Impact: N/A - Availability Impact: N/A

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/advisories/GHSA-w42g-7vfc-xf37

Release Date: 2020-06-08

Fix Resolution: apollo-server-core - 2.14.2

---

Step up your Open Source Security Game with WhiteSource here

[github-actions[bot]]

Stale issue message