Bug 2319379 (CVE-2024-50311)

Summary: CVE-2024-50311 GraphQL: Denial of Service (DoS) vulnerability via GraphQL Batching
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: alcohan, gkamathe, gparvin, jchui, jkoehler, ktsao, nboldt, njean, owatkins, pahickey, rhaigner, rjohnson, rtaniwa, sdawley, tkral
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A denial of service (DoS) vulnerability was found in OpenShift. This flaw allows attackers to exploit the GraphQL batching functionality. The vulnerability arises when multiple queries can be sent within a single request, enabling an attacker to submit a request containing thousands of aliases in one query. This issue causes excessive resource consumption, leading to application unavailability for legitimate users.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2024-10-17 14:28:09 UTC 
Denial of Service (DoS) vulnerability via GraphQL Batching was identified. The application allows multiple queries to be sent within a single request, which enables an attacker to submit a request containing thousands of aliases in one query. Exploitation of this vulnerability results in a complete denial of access to the application for legitimate users.
Comment 2 errata-xmlrpc 2025-02-25 04:38:18 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.18

Via RHSA-2024:6122 https://access.redhat.com/errata/RHSA-2024:6122