2181977 – (CVE-2023-28867) CVE-2023-28867 graphql-java: crafted GraphQL query causes stack consumption

Bug 2181977 (CVE-2023-28867) - CVE-2023-28867 graphql-java: crafted GraphQL query causes stack consumption

Summary: CVE-2023-28867 graphql-java: crafted GraphQL query causes stack consumption

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2023-28867
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	2181979
TreeView+	depends on / blocked

Reported:	2023-03-27 06:53 UTC by TEJ RATHI
Modified:	2024-03-15 03:04 UTC (History)
CC List:	53 users (show)
Fixed In Version:	graphql-java 20.1
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in GraphQL Java. This issue may allow a malicious user to send a crafted GraphQL query that causes stack consumption, causing a denial of service.
Clone Of:
Environment:
Last Closed:	2023-06-29 16:17:15 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2023:3809	0	None	None	None	2023-06-29 11:09:54 UTC
Red Hat Product Errata	RHSA-2023:3815	0	None	None	None	2023-06-27 11:29:05 UTC

Description TEJ RATHI 2023-03-27 06:53:25 UTC

In GraphQL Java (aka graphql-java) before 20.1, an attacker can send a crafted GraphQL query that causes stack consumption. The fixed versions are 20.1, 19.4, 18.4, 17.5, and 0.0.0-2023-03-20T01-49-44-80e3135.

https://github.com/graphql-java/graphql-java/pull/3112
https://github.com/graphql-java/graphql-java/releases/tag/v19.4
https://github.com/graphql-java/graphql-java/releases/tag/v17.5
https://github.com/graphql-java/graphql-java/releases/tag/v18.4
https://github.com/graphql-java/graphql-java/releases/tag/v20.1

Comment 4 errata-xmlrpc 2023-06-27 11:29:03 UTC

This issue has been addressed in the following products:

  RHINT Service Registry 2.4.3 GA

Via RHSA-2023:3815 https://access.redhat.com/errata/RHSA-2023:3815

Comment 5 errata-xmlrpc 2023-06-29 11:09:52 UTC

This issue has been addressed in the following products:

  Red Hat build of Quarkus 2.13.8

Via RHSA-2023:3809 https://access.redhat.com/errata/RHSA-2023:3809

Comment 6 Product Security DevOps Team 2023-06-29 16:17:11 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2023-28867

Note You need to log in before you can comment on or make changes to this bug.

aileenc
anstephe
asoldano
avibelli
bbaranow
bgeorges
bmaxwell
brian.stansberry
cdewolf
chazlett
clement.escoffier
dandread
darran.lofthouse
dffrench
dkreling
dosoudil
eric.wittmann
fjansen
fjuma
gmalinko
gsmet
gzaronik
hamadhan
hbraun
ivassile
iweiss
janstey
jmartisk
jpavlik
lgao
lthon
max.andersen
mosmerov
msochure
msvehla
ngough
nwallace
pantinor
pdelbell
peholase
pgallagh
pjindal
pmackay
probinso
rgodfrey
rruss
rstancel
rsvoboda
sbiarozk
sdouglas
smaestri
tom.jenkinson
tqvarnst