Linux Distros Unpatched Vulnerability : CVE-2022-21708

🗓️ 05 Mar 2025 00:00:00Reported by TenableType

Unpatched vulnerability in Linux packages affects service stability via GraphQL server flaws.

Reporter	Title	Published	Views	Family All 23
Circl	CVE-2022-21708	22 Jan 202202:15	–	circl
CNNVD	graphql-go 资源管理错误漏洞	21 Jan 202200:00	–	cnnvd
CNVD	graphql-go denial of service vulnerability	25 Jan 202200:00	–	cnvd
CVE	CVE-2022-21708	21 Jan 202222:25	–	cve
Cvelist	CVE-2022-21708 Denial of Service in graphql-go	21 Jan 202222:25	–	cvelist
Debian CVE	CVE-2022-21708	21 Jan 202222:25	–	debiancve
EUVD	EUVD-2022-0647	3 Oct 202520:07	–	euvd
Github Security Blog	Denial of Service in graphql-go	27 Jan 202215:28	–	github
NVD	CVE-2022-21708	21 Jan 202223:15	–	nvd
OSV	CVE-2022-21708 Denial of Service in graphql-go	21 Jan 202222:25	–	osv

Source	Link
security-tracker	www.security-tracker.debian.org/tracker/CVE-2022-21708
ubuntu	www.ubuntu.com/security/CVE-2022-21708
cve	www.cve.mitre.org/cgi-bin/cvename.cgi

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(229735);
  script_version("1.2");
  script_set_attribute(attribute:"plugin_modification_date", value:"2025/08/20");

  script_cve_id("CVE-2022-21708");

  script_name(english:"Linux Distros Unpatched Vulnerability : CVE-2022-21708");

  script_set_attribute(attribute:"synopsis", value:
"The Linux/Unix host has one or more packages installed with a vulnerability that the vendor indicates will not be
patched.");
  script_set_attribute(attribute:"description", value:
"The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied
patch available.

  - graphql-go is a GraphQL server with a focus on ease of use. In versions prior to 1.3.0 there exists a DoS
    vulnerability that is possible due to a bug in the library that would allow an attacker with specifically
    designed queries to cause stack overflow panics. Any user with access to the GraphQL handler can send
    these queries and cause stack overflows. This in turn could potentially compromise the ability of the
    server to serve data to its users. The issue has been patched in version `v1.3.0`. The only known
    workaround for this issue is to disable the `graphql.MaxDepth` option from your schema which is not
    recommended. (CVE-2022-21708)

Note that Nessus relies on the presence of the package as reported by the vendor.");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2022-21708");
  script_set_attribute(attribute:"see_also", value:"https://ubuntu.com/security/CVE-2022-21708");
  script_set_attribute(attribute:"solution", value:
"There is no known solution at this time.");
  script_set_attribute(attribute:"agent", value:"unix");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:S/C:N/I:N/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2022-21708");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");
  script_set_attribute(attribute:"vendor_unpatched", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2022/01/21");
  script_set_attribute(attribute:"plugin_publication_date", value:"2025/03/05");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:20.04:-:lts");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:11.0");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:golang-github-graph-gophers-graphql-go");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:golang-github-graph-gophers-graphql-go");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2025 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("set_linux_os_id.nasl", "ssh_get_info2.nasl");
  script_require_keys("Host/OS/identifier", "Host/cpu", "Host/local_checks_enabled", "global_settings/vendor_unpatched");
  script_require_ports("Host/OS/Debian Linux-11", "Host/OS/Ubuntu Linux-20.04");

  exit(0);
}

if (!get_kb_item("global_settings/vendor_unpatched")) exit(0, "Unpatched Vulnerabilities Detection not active.");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (empty_or_null(get_one_kb_item("Host/Debian/dpkg-l"))) audit(AUDIT_PACKAGE_LIST_MISSING);

include('linux_unpatched.inc');

var distro_constraints_array = {
  "Debian Linux-11": {
    "package_manager": "dpkg-l",
    "constraints": [
      {
        "release": "11",
        "pkgs": [
          {"reference": "golang-github-graph-gophers-graphql-go-dev"}
        ]
      }
    ]
  },
  "Ubuntu Linux-20.04": {
    "package_manager": "dpkg-l",
    "constraints": [
      {
        "release": "20.04",
        "pkgs": [
          {"reference": "golang-github-graph-gophers-graphql-go"}
        ]
      }
    ]
  }
};

var distro_constraints_values = linux_unpatched::get_distro_constraints(distro_constraints_arr:distro_constraints_array);
if (empty_or_null(distro_constraints_values)) audit(AUDIT_HOST_NOT, 'affected');
var report = linux_unpatched::check_unpatched_constraints(distro_constraints_values:distro_constraints_values);

if (!empty_or_null(report))
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_NOTE,
      extra      : report
  );
  exit(0);
}
else
{
  audit(AUDIT_HOST_NOT, 'affected');
}

20 Aug 2025 00:00Current

6.4Medium risk

Vulners AI Score6.4

CVSS 23.5

CVSS 3.16.5

EPSS0.00155

SSVC