Описание
GraphQL Java (aka graphql-java) before 21.5 does not properly consider ExecutableNormalizedFields (ENFs) as part of preventing denial of service via introspection queries. 20.9 and 19.11 are also fixed versions.
A vulnerability was found in GraphQL Java, affecting versions prior to 21.5. This flaw allows an attacker to perform a denial of service (DoS) attack via introspection queries. The issue arises due to the improper handling of ExecutableNormalizedFields (ENFs), which are not adequately considered during the introspection query process. This issue could lead to resource exhaustion and service disruption under certain conditions.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat build of Apicurio Registry 2 | com.graphql-java/graphql-java | Not affected | ||
| Red Hat Fuse 7 | com.graphql-java/graphql-java | Out of support scope | ||
| Red Hat Integration Camel K 1 | com.graphql-java/graphql-java | Out of support scope | ||
| Red Hat JBoss Enterprise Application Platform 7 | com.graphql-java/graphql-java | Out of support scope | ||
| Red Hat JBoss Enterprise Application Platform 8 | com.graphql-java/graphql-java | Not affected | ||
| Red Hat JBoss Enterprise Application Platform Expansion Pack | com.graphql-java/graphql-java | Not affected | ||
| Cryostat 3 on RHEL 8 | cryostat-tech-preview/cryostat-db-rhel8 | Fixed | RHSA-2024:8329 | 22.10.2024 |
| Cryostat 3 on RHEL 8 | cryostat-tech-preview/cryostat-grafana-dashboard-rhel8 | Fixed | RHSA-2024:8329 | 22.10.2024 |
| Cryostat 3 on RHEL 8 | cryostat-tech-preview/cryostat-operator-bundle | Fixed | RHSA-2024:8329 | 22.10.2024 |
| Cryostat 3 on RHEL 8 | cryostat-tech-preview/cryostat-ose-oauth-proxy-rhel8 | Fixed | RHSA-2024:8329 | 22.10.2024 |
Показывать по
Ссылки на источники
Дополнительная информация
Статус:
EPSS
7.5 High
CVSS3
Связанные уязвимости
GraphQL Java (aka graphql-java) before 21.5 does not properly consider ExecutableNormalizedFields (ENFs) as part of preventing denial of service via introspection queries. 20.9 and 19.11 are also fixed versions.
GraphQL Java does not properly consider ExecutableNormalizedFields (ENFs) as part of preventing denial of service
EPSS
7.5 High
CVSS3