In GraphQL Java (aka graphql-java) before 20.1, an attacker can send a crafted GraphQL query that causes stack consumption. The fixed versions are 20.1, 19.4, 18.4, 17.5, and 0.0.0-2023-03-20T01-49-44-80e3135. https://github.com/graphql-java/graphql-java/pull/3112 https://github.com/graphql-java/graphql-java/releases/tag/v19.4 https://github.com/graphql-java/graphql-java/releases/tag/v17.5 https://github.com/graphql-java/graphql-java/releases/tag/v18.4 https://github.com/graphql-java/graphql-java/releases/tag/v20.1
This issue has been addressed in the following products: RHINT Service Registry 2.4.3 GA Via RHSA-2023:3815 https://access.redhat.com/errata/RHSA-2023:3815
This issue has been addressed in the following products: Red Hat build of Quarkus 2.13.8 Via RHSA-2023:3809 https://access.redhat.com/errata/RHSA-2023:3809
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2023-28867