GraphQL Java vulnerable to stack consumption

2023-03-2703:30:16

CWE-770

GitHub Advisory Database

github.com

graphql java

stack consumption

vulnerability

fix

software

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

0.001 Low

EPSS

Percentile

45.1%

JSON

In GraphQL Java (aka graphql-java) before 20.1, an attacker can send a crafted GraphQL query that causes stack consumption. The fixed versions are 20.1, 19.4, 18.4, 17.5, and 0.0.0-2023-03-20T01-49-44-80e3135.

Affected configurations

Vulners

Node

pdftk-java_projectpdftk-javaMatch20.0java

pdftk-java_projectpdftk-javaRange<19.4java

pdftk-java_projectpdftk-javaRange<18.4java

pdftk-java_projectpdftk-javaRange1.2≥java

pdftk-java_projectpdftk-javaRange<17.5java

pdftk-java_projectpdftk-javaRange<0.0.0-2023-03-20T01-49-44-80e3135java

CPENameOperatorVersion
com.graphql-java:graphql-javaeq20.0
com.graphql-java:graphql-javalt19.4
com.graphql-java:graphql-javalt18.4
com.graphql-java:graphql-javage1.2
com.graphql-java:graphql-javalt17.5
com.graphql-java:graphql-javalt0.0.0-2023-03-20T01-49-44-80e3135

Name	Operator	Version
com.graphql-java:graphql-java	eq	20.0
com.graphql-java:graphql-java	lt	19.4
com.graphql-java:graphql-java	lt	18.4
com.graphql-java:graphql-java	ge	1.2
com.graphql-java:graphql-java	lt	17.5
com.graphql-java:graphql-java	lt	0.0.0-2023-03-20T01-49-44-80e3135