Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-68jh-rf6x-836f: @apollo/server vulnerable to unsafe application of Content Security Policy via reused nonces

Context

Content Security Policies (CSP) are a defense-in-depth strategy against XSS attacks. Improper application of CSP isn’t itself a vulnerability, but it does fail to prevent XSS in the event that there is a viable attack vector for an XSS attack.

Impact

There aren’t any XSS attack vectors via the Apollo Server landing pages known to Apollo, so to our knowledge there is no impact. However, if there are existing XSS vectors that haven’t been reported and patched, then all users of Apollo Server’s landing pages have a vulnerability which won’t be prevented by the current CSP implemented by the landing pages.

Patches

The issue is patched in the latest version of Apollo Server, v4.7.4.

Workarounds

The landing page can be disabled completely until the patch can be upgraded to. https://www.apollographql.com/docs/apollo-server/api/plugin/landing-pages/#disabling-the-landing-page

References

https://content-security-policy.com/nonce/

ghsa
Open in Source
#xss#vulnerability

Context

Content Security Policies (CSP) are a defense-in-depth strategy against XSS attacks. Improper application of CSP isn’t itself a vulnerability, but it does fail to prevent XSS in the event that there is a viable attack vector for an XSS attack.

Impact

There aren’t any XSS attack vectors via the Apollo Server landing pages known to Apollo, so to our knowledge there is no impact. However, if there are existing XSS vectors that haven’t been reported and patched, then all users of Apollo Server’s landing pages have a vulnerability which won’t be prevented by the current CSP implemented by the landing pages.

Patches

The issue is patched in the latest version of Apollo Server, v4.7.4.

Workarounds

The landing page can be disabled completely until the patch can be upgraded to.
https://www.apollographql.com/docs/apollo-server/api/plugin/landing-pages/#disabling-the-landing-page

References

https://content-security-policy.com/nonce/

References

  • GHSA-68jh-rf6x-836f
  • apollographql/apollo-server@0adaf80

ghsa: Latest News

GHSA-m43g-m425-p68x: junit-platform-reporting can leak Git credentials through its OpenTestReportGeneratingListener
ghsa