Bug 2108396 (CVE-2022-2466) - CVE-2022-2466 smallrye-graphql: Request Context not terminated with GraphQL
Summary: CVE-2022-2466 smallrye-graphql: Request Context not terminated with GraphQL
Alias: CVE-2022-2466
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On:
Blocks: 2108393 2108407
TreeView+ depends on / blocked
Reported: 2022-07-19 01:31 UTC by Paramvir jindal
Modified: 2022-08-30 08:55 UTC (History)
21 users (show)

Fixed In Version: Quarkus 2.10.3
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2022-08-30 08:55:52 UTC

Attachments (Terms of Use)

Description Paramvir jindal 2022-07-19 01:31:01 UTC

Expected behavior
Everytime a new Request is performed by a client, the Request headers should be inline with the actual HTTP Request

Actual behavior
With 2.10.x the first request headers became like cached value and any subsequent request headers will contain those instead of the actual headers

How to Reproduce?
    create an app with Quarkus 2.10.1 - 2.10.2 and the smallrye graphql extension
    create an endpoint or a bean injecting RoutingContext
    set some HTTP headers like Authorization, MyCustomHeader etc and send the http request
    print RoutingContext.request().headers
    set others HTTP headers or remove the previous and send the new http request
    the second request headers will contain first request data also if you did not send them
    7 ) switch to quarkus 2.9.x and will work as expected

Comment 3 Paramvir jindal 2022-07-19 08:08:20 UTC
Marking RHBQ as not affected because this issue affects only upstream Quarkus 2.10.1 - 2.10.2 and not the RHBQ counterpart which atm based on version 2.7.6.Final.

Comment 4 Guillaume Smet 2022-07-19 09:32:41 UTC
Just to clarify: it affects 2.10.0.CR1 and 2.10.0.Final too. I don't mind us not communicating about CR1 but please include the .0.Final in the affected versions.


Comment 5 Guillaume Smet 2022-07-27 19:10:40 UTC
Unfortunately, the fix we introduced in 2.10.3.Final and 2.11.0.Final was incomplete and these versions are still affected by the issue.

Quarkus 2.10.4.Final and 2.11.1.Final have been released to completely fix the issue: https://quarkus.io/blog/quarkus-2-11-1-final-released/ .

Comment 6 Guillaume Smet 2022-08-05 07:34:46 UTC
Unfortunately, the problem is still not fix.

I will follow up here once we are completely positive the issue is fixed.

Comment 7 Product Security DevOps Team 2022-08-30 08:55:51 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):


Note You need to log in before you can comment on or make changes to this bug.