{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-32971", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-04-22T15:14:59.165Z", "datePublished": "2024-05-02T06:43:27.646Z", "dateUpdated": "2024-08-02T02:27:52.865Z"}, "containers": {"cna": {"title": "Defect in query plan cache may cause incorrect operations to be executed in Apollo Router", "problemTypes": [{"descriptions": [{"cweId": "CWE-670", "lang": "en", "description": "CWE-670: Always-Incorrect Control Flow Implementation", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-440", "lang": "en", "description": "CWE-440: Expected Behavior Violation", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/apollographql/router/security/advisories/GHSA-q9p4-hw9m-fj2v", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/apollographql/router/security/advisories/GHSA-q9p4-hw9m-fj2v"}, {"name": "https://github.com/apollographql/router/commit/ff9f666598cd17661880fe7fc6e9c9611316e529", "tags": ["x_refsource_MISC"], "url": "https://github.com/apollographql/router/commit/ff9f666598cd17661880fe7fc6e9c9611316e529"}, {"name": "https://github.com/apollographql/router/releases/tag/v1.45.1", "tags": ["x_refsource_MISC"], "url": "https://github.com/apollographql/router/releases/tag/v1.45.1"}, {"name": "https://www.apollographql.com/docs/router/configuration/distributed-caching/#distributed-query-plan-caching", "tags": ["x_refsource_MISC"], "url": "https://www.apollographql.com/docs/router/configuration/distributed-caching/#distributed-query-plan-caching"}], "affected": [{"vendor": "apollographql", "product": "router", "versions": [{"version": ">=1.44.0, <1.45.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-05-02T06:43:27.646Z"}, "descriptions": [{"lang": "en", "value": "Apollo Router is a configurable, graph router written in Rust to run a federated supergraph that uses Apollo Federation 2. The affected versions of Apollo Router contain a bug that in limited circumstances, could lead to unexpected operations being executed which can result in unintended data or effects. This only affects Router instances configured to use distributed query plan caching. The root cause of this defect is a bug in Apollo Router\u2019s cache retrieval logic: When this defect is present and distributed query planning caching is enabled, asking the Router to execute an operation (whether it is a query, a mutation, or a subscription) may result in an unexpected variation of that operation being executed or the generation of unexpected errors. The issue stems from inadvertently executing a modified version of a previously executed operation, whose query plan is stored in the underlying cache (specifically, Redis). Depending on the type of the operation, the result may vary. For a query, results may be fetched that don\u2019t match what was requested (e.g., rather than running `fetchUsers(type: ENTERPRISE)` the Router may run `fetchUsers(type: TRIAL)`. For a mutation, this may result in incorrect mutations being sent to underlying subgraph servers (e.g., rather than sending `deleteUser(id: 10)` to a subgraph, the Router may run `deleteUser(id: 12)`. Users who are using distributed query plan caching, are advised to either upgrade to version 1.45.1 or above or downgrade to version 1.43.2 of the Apollo Router. Apollo Router versions 1.44.0 or 1.45.0 are not recommended for use and have been withdrawn. Users unable to upgrade can disable distributed query plan caching to mitigate this issue."}], "source": {"advisory": "GHSA-q9p4-hw9m-fj2v", "discovery": "UNKNOWN"}}, "adp": [{"affected": [{"vendor": "apollographql", "product": "apollo_router", "cpes": ["cpe:2.3:a:apollographql:apollo_router:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "1.44.0", "status": "affected", "lessThan": "1.45.1", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-07-03T15:09:53.762624Z", "id": "CVE-2024-32971", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-03T20:56:05.085Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T02:27:52.865Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/apollographql/router/security/advisories/GHSA-q9p4-hw9m-fj2v", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/apollographql/router/security/advisories/GHSA-q9p4-hw9m-fj2v"}, {"name": "https://github.com/apollographql/router/commit/ff9f666598cd17661880fe7fc6e9c9611316e529", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/apollographql/router/commit/ff9f666598cd17661880fe7fc6e9c9611316e529"}, {"name": "https://github.com/apollographql/router/releases/tag/v1.45.1", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/apollographql/router/releases/tag/v1.45.1"}, {"name": "https://www.apollographql.com/docs/router/configuration/distributed-caching/#distributed-query-plan-caching", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.apollographql.com/docs/router/configuration/distributed-caching/#distributed-query-plan-caching"}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/apollographql/router/security/advisories/GHSA-q9p4-hw9m-fj2v", "name": "https://github.com/apollographql/router/security/advisories/GHSA-q9p4-hw9m-fj2v", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/apollographql/router/commit/ff9f666598cd17661880fe7fc6e9c9611316e529", "name": "https://github.com/apollographql/router/commit/ff9f666598cd17661880fe7fc6e9c9611316e529", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/apollographql/router/releases/tag/v1.45.1", "name": "https://github.com/apollographql/router/releases/tag/v1.45.1", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://www.apollographql.com/docs/router/configuration/distributed-caching/#distributed-query-plan-caching", "name": "https://www.apollographql.com/docs/router/configuration/distributed-caching/#distributed-query-plan-caching", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T02:27:52.865Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-32971", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-07-03T15:09:53.762624Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:apollographql:apollo_router:*:*:*:*:*:*:*:*"], "vendor": "apollographql", "product": "apollo_router", "versions": [{"status": "affected", "version": "1.44.0", "lessThan": "1.45.1", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-03T15:12:52.314Z"}}], "cna": {"title": "Defect in query plan cache may cause incorrect operations to be executed in Apollo Router", "source": {"advisory": "GHSA-q9p4-hw9m-fj2v", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "apollographql", "product": "router", "versions": [{"status": "affected", "version": ">=1.44.0, <1.45.1"}]}], "references": [{"url": "https://github.com/apollographql/router/security/advisories/GHSA-q9p4-hw9m-fj2v", "name": "https://github.com/apollographql/router/security/advisories/GHSA-q9p4-hw9m-fj2v", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/apollographql/router/commit/ff9f666598cd17661880fe7fc6e9c9611316e529", "name": "https://github.com/apollographql/router/commit/ff9f666598cd17661880fe7fc6e9c9611316e529", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/apollographql/router/releases/tag/v1.45.1", "name": "https://github.com/apollographql/router/releases/tag/v1.45.1", "tags": ["x_refsource_MISC"]}, {"url": "https://www.apollographql.com/docs/router/configuration/distributed-caching/#distributed-query-plan-caching", "name": "https://www.apollographql.com/docs/router/configuration/distributed-caching/#distributed-query-plan-caching", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Apollo Router is a configurable, graph router written in Rust to run a federated supergraph that uses Apollo Federation 2. The affected versions of Apollo Router contain a bug that in limited circumstances, could lead to unexpected operations being executed which can result in unintended data or effects. This only affects Router instances configured to use distributed query plan caching. The root cause of this defect is a bug in Apollo Router\u2019s cache retrieval logic: When this defect is present and distributed query planning caching is enabled, asking the Router to execute an operation (whether it is a query, a mutation, or a subscription) may result in an unexpected variation of that operation being executed or the generation of unexpected errors. The issue stems from inadvertently executing a modified version of a previously executed operation, whose query plan is stored in the underlying cache (specifically, Redis). Depending on the type of the operation, the result may vary. For a query, results may be fetched that don\u2019t match what was requested (e.g., rather than running `fetchUsers(type: ENTERPRISE)` the Router may run `fetchUsers(type: TRIAL)`. For a mutation, this may result in incorrect mutations being sent to underlying subgraph servers (e.g., rather than sending `deleteUser(id: 10)` to a subgraph, the Router may run `deleteUser(id: 12)`. Users who are using distributed query plan caching, are advised to either upgrade to version 1.45.1 or above or downgrade to version 1.43.2 of the Apollo Router. Apollo Router versions 1.44.0 or 1.45.0 are not recommended for use and have been withdrawn. Users unable to upgrade can disable distributed query plan caching to mitigate this issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-670", "description": "CWE-670: Always-Incorrect Control Flow Implementation"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-440", "description": "CWE-440: Expected Behavior Violation"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-05-02T06:43:27.646Z"}}}, "cveMetadata": {"cveId": "CVE-2024-32971", "state": "PUBLISHED", "dateUpdated": "2024-08-02T02:27:52.865Z", "dateReserved": "2024-04-22T15:14:59.165Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-05-02T06:43:27.646Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Apollo Router is a configurable, graph router written in Rust to run a federated supergraph that uses Apollo Federation 2. The affected versions of Apollo Router contain a bug that in limited circumstances, could lead to unexpected operations being executed which can result in unintended data or effects. This only affects Router instances configured to use distributed query plan caching. The root cause of this defect is a bug in Apollo Router\u2019s cache retrieval logic: When this defect is present and distributed query planning caching is enabled, asking the Router to execute an operation (whether it is a query, a mutation, or a subscription) may result in an unexpected variation of that operation being executed or the generation of unexpected errors. The issue stems from inadvertently executing a modified version of a previously executed operation, whose query plan is stored in the underlying cache (specifically, Redis). Depending on the type of the operation, the result may vary. For a query, results may be fetched that don\u2019t match what was requested (e.g., rather than running `fetchUsers(type: ENTERPRISE)` the Router may run `fetchUsers(type: TRIAL)`. For a mutation, this may result in incorrect mutations being sent to underlying subgraph servers (e.g., rather than sending `deleteUser(id: 10)` to a subgraph, the Router may run `deleteUser(id: 12)`. Users who are using distributed query plan caching, are advised to either upgrade to version 1.45.1 or above or downgrade to version 1.43.2 of the Apollo Router. Apollo Router versions 1.44.0 or 1.45.0 are not recommended for use and have been withdrawn. Users unable to upgrade can disable distributed query plan caching to mitigate this issue."}, {"lang": "es", "value": "Apollo Router es un router de gr\u00e1ficos configurable escrito en Rust para ejecutar un supergrafo federado que utiliza Apollo Federation 2. Las versiones afectadas de Apollo Router contienen un error que, en circunstancias limitadas, podr\u00eda provocar la ejecuci\u00f3n de operaciones inesperadas que pueden generar datos no deseados o efectos. Esto solo afecta a las instancias del router configuradas para utilizar el almacenamiento en cach\u00e9 del plan de consultas distribuidas. La causa principal de este defecto es un error en la l\u00f3gica de recuperaci\u00f3n de cach\u00e9 del router Apollo: cuando este defecto est\u00e1 presente y el almacenamiento en cach\u00e9 de planificaci\u00f3n de consultas distribuidas est\u00e1 habilitado, se solicita al router que ejecute una operaci\u00f3n (ya sea una consulta, una mutaci\u00f3n o una suscripci\u00f3n). puede resultar en una variaci\u00f3n inesperada de esa operaci\u00f3n que se ejecuta o en la generaci\u00f3n de errores inesperados. El problema surge de la ejecuci\u00f3n inadvertida de una versi\u00f3n modificada de una operaci\u00f3n ejecutada previamente, cuyo plan de consulta se almacena en la memoria cach\u00e9 subyacente (espec\u00edficamente, Redis). Dependiendo del tipo de operaci\u00f3n, el resultado puede variar. Para una consulta, es posible que se obtengan resultados que no coincidan con lo solicitado (por ejemplo, en lugar de ejecutar `fetchUsers(type: ENTERPRISE)`, el router puede ejecutar `fetchUsers(type: TRIAL)`. Para una mutaci\u00f3n, esto puede resultar en mutaciones incorrectas que se env\u00edan a servidores de subgrafos subyacentes (por ejemplo, en lugar de enviar `deleteUser(id: 10)` a un subgrafo, el router puede ejecutar `deleteUser(id: 12)`. Se recomienda a los usuarios que utilicen el almacenamiento en cach\u00e9 de planes de consulta distribuidos que actualicen a la versi\u00f3n 1.45.1 o superior, o bien que reduzcan a la versi\u00f3n 1.43.2 del router Apollo. No se recomienda el uso de las versiones 1.44.0 o 1.45.0 del router Apollo y se han retirado. Los usuarios que no puedan actualizar pueden desactivar el almacenamiento en cach\u00e9 del plan de consultas distribuidas para mitigar este problema."}], "id": "CVE-2024-32971", "lastModified": "2024-05-02T13:27:25.103", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 6.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-05-02T07:15:21.733", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/apollographql/router/commit/ff9f666598cd17661880fe7fc6e9c9611316e529"}, {"source": "security-advisories@github.com", "url": "https://github.com/apollographql/router/releases/tag/v1.45.1"}, {"source": "security-advisories@github.com", "url": "https://github.com/apollographql/router/security/advisories/GHSA-q9p4-hw9m-fj2v"}, {"source": "security-advisories@github.com", "url": "https://www.apollographql.com/docs/router/configuration/distributed-caching/#distributed-query-plan-caching"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-440"}, {"lang": "en", "value": "CWE-670"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}