2126809 – (CVE-2022-37734) CVE-2022-37734 graphql-java: DoS by malicious query

Bug 2126809 (CVE-2022-37734) - CVE-2022-37734 graphql-java: DoS by malicious query

Summary: CVE-2022-37734 graphql-java: DoS by malicious query

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2022-37734
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	2126405
TreeView+	depends on / blocked

Reported:	2022-09-14 13:02 UTC by Patrick Del Bello
Modified:	2022-12-14 13:15 UTC (History)
CC List:	50 users (show)
Fixed In Version:	graphql-java 19.0, graphql-java 18.3, graphql-java 17.4
Clone Of:
Environment:
Last Closed:	2022-11-29 12:27:56 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2022:6757	None	None	None	2022-10-05 14:50:20 UTC
Red Hat Product Errata	RHSA-2022:6835	None	None	None	2022-10-06 12:28:40 UTC
Red Hat Product Errata	RHSA-2022:9023	None	None	None	2022-12-14 13:15:15 UTC

Description Patrick Del Bello 2022-09-14 13:02:29 UTC

graphql-java before19.0 is vulnerable to Denial of Service. An attacker can send a malicious GraphQL query that consumes CPU resources. The fixed versions are 19.0 and later, 18.3, and 17.4.

https://github.com/graphql-java/graphql-java/pull/2892
https://github.com/graphql-java/graphql-java/issues/2888
https://github.com/graphql-java/graphql-java/discussions/2958
https://github.com/graphql-java/graphql-java/releases

Comment 3 errata-xmlrpc 2022-10-05 14:50:16 UTC

This issue has been addressed in the following products:

  Red Hat build of Eclipse Vert.x 4.3.3

Via RHSA-2022:6757 https://access.redhat.com/errata/RHSA-2022:6757

Comment 4 errata-xmlrpc 2022-10-06 12:28:36 UTC

This issue has been addressed in the following products:

  RHINT Service Registry 2.3.0 GA

Via RHSA-2022:6835 https://access.redhat.com/errata/RHSA-2022:6835

Comment 6 Product Security DevOps Team 2022-11-29 12:27:53 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-37734

Comment 7 errata-xmlrpc 2022-12-14 13:15:13 UTC

This issue has been addressed in the following products:

  Red Hat build of Quarkus 2.13.5

Via RHSA-2022:9023 https://access.redhat.com/errata/RHSA-2022:9023

Note You need to log in before you can comment on or make changes to this bug.

aileenc
asoldano
avibelli
balejosg
bbaranow
bgeorges
bmaxwell
brian.stansberry
cdewolf
chazlett
clement.escoffier
dandread
darran.lofthouse
dffrench
dkreling
dosoudil
eric.wittmann
fjuma
gmalinko
gsmet
gzaronik
hamadhan
iweiss
janstey
jochrist
jpavlik
jwon
lgao
lthon
mosmerov
msochure
msvehla
mszynkie
ngough
nwallace
pantinor
pdelbell
peholase
pgallagh
pjindal
pmackay
probinso
rgodfrey
rruss
rstancel
rsvoboda
sbiarozk
sdouglas
smaestri
tom.jenkinson