Can you explain this vulnerability to me?

This vulnerability affects Apollo Federation's composition logic before certain fixed versions. It allows some queries to Apollo Router to bypass access controls on types and fields. Specifically, user-defined access control directives on interface types or fields can be bypassed by querying the implementing object types or fields using inline fragments. The issue arises because Apollo Federation incorrectly allowed access control directives on interface types/fields, which could be circumvented. The fix disallows user-defined access control directives on interface types and fields to prevent this bypass.

Useful 0 Not Useful 0

How can this vulnerability impact me? :

This vulnerability can lead to unauthorized access to data by bypassing access controls on certain API types and fields in Apollo Router. Attackers or unauthorized users could query data they should not have access to by exploiting the bypass on interface types/fields. This could result in exposure of sensitive information or data leakage.

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, upgrade Apollo Federation composition logic to versions 2.9.5, 2.10.4, 2.11.5, or 2.12.1 or later. If you are using Apollo Rover with an unpatched composition version or Apollo Studio build pipeline with Federation version 2.8 or below, manually copy the access control requirements from interface types/fields to each implementing object type/field where appropriate. Do not remove access control requirements from interface types/fields, as unpatched Apollo Composition will not generate them automatically. If you are not using Apollo Router access control features or not specifying access control on interface types/fields, no action is needed.

Useful 0 Not Useful 0