Lucene search

GitHub Advisory DatabaseGHSA-G56X-7J6W-G8R8

HistoryDec 18, 2023 - 11:26 p.m.

Grackle has StackOverflowError in GraphQL query processing

2023-12-1823:26:52

CWE-400

GitHub Advisory Database

github.com

grackle

v0.18.0

stack overflow

vulnerability

graphql

query processing

denial of service

untrusted users

fix

release

workarounds

sanitizing layer

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

7.2 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

20.4%

JSON

Impact

Prior to this fix, the GraphQL query parsing was vulnerable to StackOverflowErrors. The possibility of small queries resulting in stack overflow is a potential denial of service vulnerability.

This potentially affects all applications using Grackle which have untrusted users.

> [!CAUTION]
> No specific knowledge of an application’s GraphQL schema would be required to construct a pathological query.

Patches

The stack overflow issues have been resolved in the v0.18.0 release of Grackle.

Workarounds

Users could interpose a sanitizing layer in between untrusted input and Grackle query processing.

Affected configurations

Vulners

Node

org.typelevel\grackleMatchcore_native0.4_3

org.typelevel\grackleMatchcore_native0.4_2.13

org.typelevel\grackleMatchcore_sjs1_3

org.typelevel\grackleMatchcore_sjs1_2.13

graphqlgraphqlRange≤0.14.0

org.apache.spark\sparkMatchcore_2.13

org.typelevel\grackleMatchcore_native0.4_3

org.typelevel\grackleMatchcore_native0.4_2.13

org.typelevel\grackleMatchcore_sjs1_3

org.typelevel\grackleMatchcore_sjs1_2.13

org.typelevel\grackleMatchcore_3

org.typelevel\grackleMatchcore_2.13

CPENameOperatorVersion
edu.gemini:gsp-graphql-core_native0.4_3le0.14.0
edu.gemini:gsp-graphql-core_native0.4_2.13le0.14.0
edu.gemini:gsp-graphql-core_sjs1_3le0.14.0
edu.gemini:gsp-graphql-core_sjs1_2.13le0.14.0
edu.gemini:gsp-graphql-core_3le0.14.0
edu.gemini:gsp-graphql-core_2.13le0.14.0
org.typelevel:grackle-core_native0.4_3lt0.18.0
org.typelevel:grackle-core_native0.4_2.13lt0.18.0
org.typelevel:grackle-core_sjs1_3lt0.18.0
org.typelevel:grackle-core_sjs1_2.13lt0.18.0

Name	Operator	Version
edu.gemini:gsp-graphql-core_native0.4_3	le	0.14.0
edu.gemini:gsp-graphql-core_native0.4_2.13	le	0.14.0
edu.gemini:gsp-graphql-core_sjs1_3	le	0.14.0
edu.gemini:gsp-graphql-core_sjs1_2.13	le	0.14.0
edu.gemini:gsp-graphql-core_3	le	0.14.0
edu.gemini:gsp-graphql-core_2.13	le	0.14.0
org.typelevel:grackle-core_native0.4_3	lt	0.18.0
org.typelevel:grackle-core_native0.4_2.13	lt	0.18.0
org.typelevel:grackle-core_sjs1_3	lt	0.18.0
org.typelevel:grackle-core_sjs1_2.13	lt	0.18.0

Rows per page:

1-10 of 121

References

github.com/advisories/GHSA-g56x-7j6w-g8r8

github.com/typelevel/grackle/commit/56e244b91659cf385df590fc6c46695b6f36cbfd

github.com/typelevel/grackle/releases/tag/v0.18.0

github.com/typelevel/grackle/security/advisories/GHSA-g56x-7j6w-g8r8

nvd.nist.gov/vuln/detail/CVE-2023-50730

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

7.2 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

20.4%

JSON

Related for GHSA-G56X-7J6W-G8R8