Security Bulletin: IBM Maximo Application Suite Predict Component uses IBM WebSphere Application Server Liberty is vulnerable to a denial of service due to GraphQL Java CVE-2024-40094

Summary Security Bulletin: IBM Maximo Application Suite Predict Component uses IBM WebSphere Application Server Liberty is vulnerable to a denial of service due to GraphQL Java CVE-2024-40094. This bulletin contains information regarding the vulnerability and its fixture. Vulnerability Details...

graphql-mesh 路径遍历漏洞

graphql-mesh is an application by Arda TANRIKULU Individual Developer. A path traversal vulnerability exists in graphql-mesh, which stems from a lack of checks in the static file handler that could lead to arbitrary file reads and leak server data...

graphql-mesh 资源管理错误漏洞

graphql-mesh is an application by Arda TANRIKULU Individual Developer. A resource management error vulnerability exists in graphql-mesh, which stems from a flaw in the query variable caching mechanism that can lead to token reuse and memory leaks...

This Week in Spring - February 18th, 2025

Hi, Spring fans! It's the week of February 18th, 2025, and you know what that means? ConFoo and Devnexus are nearly here! Next week, I'll be traveling to amazing Montreal, Canada, to speak at the ConFoo show for an amazing community, poutine, and technology! Then, a few days later, it's off to...

SUSE CVE-2024-47401

Mattermost versions 9.10.x = 9.10.2, 9.11.x = 9.11.1 and 9.5.x = 9.5.9 fail to prevent detailed error messages from being displayed in Playbooks which allows an attacker to generate a large response and cause an amplified GraphQL response which in turn could cause the application to crash by...

CVE-2022-41876

ezplatform-graphql is a GraphQL server implementation for Ibexa DXP and Ibexa Open Source. Versions prior to 2.3.12 and 1.0.13 are subject to Insecure Storage of Sensitive Information. Unauthenticated GraphQL queries for user accounts can expose password hashes of users that have created or...

Security Bulletin: Vulnerability in GraphQL Java affects IBM watsonx Assistant for IBM Cloud Pak for Data

Summary Potential vulnerability in GraphQL Java has been identified that affects IBM watsonx Assistant for IBM Cloud Pak for Data. The vulnerability have been addressed. Refer to details for additional information. Vulnerability Details CVEID:CVE-2024-40094 DESCRIPTION: GraphQL Java aka...

CVE-2020-4038

GraphQL Playground graphql-playground-html NPM package before version 1.6.22 have a severe XSS Reflection attack vulnerability. All unsanitized user input passed into renderPlaygroundPage method could trigger this vulnerability. This has been patched in graphql-playground-html version 1.6.22. Not...

CVE-2024-47614

async-graphql is a GraphQL server library implemented in Rust. async-graphql before 7.0.10 does not limit the number of directives for a field. This can lead to Service Disruption, Resource Exhaustion, and User Experience Degradation. This vulnerability is fixed in 7.0.10...

Security Bulletin: The IBM® Engineering Lifecycle Engineering products using IBM WebSphere Application Server Liberty is vulnerable to a denial of service due to GraphQL Java

Summary There is a vulnerability in the GraphQL Java library used by IBM WebSphere Application Server Liberty with the mpGraphQL-1.0 or mpGraphQL-2.0 feature enabled. Following IBM® Engineering Lifecycle Engineering products are vulnerable to this attack, it has been addressed in this bulletin:...

CVE-2024-54151

Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 11.0.0 and prior to version 11.3.0, when setting WEBSOCKETSGRAPHQLAUTH or WEBSOCKETSRESTAUTH to "public", an unauthenticated user is able to do any of the supported operations CRUD, subscriptions...

CVE-2024-24556

urql is a GraphQL client that exposes a set of helpers for several frameworks. The @urql/next package is vulnerable to XSS. To exploit this an attacker would need to ensure that the response returns html tags and that the web-application is using streamed responses non-RSC. This vulnerability is...

Malicious code in solana-graphql-playground (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 293a02fa1726046ea481def165e8c209dc7e6e1b108bc997d12977ecd4e613f7 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2025-1178 Malicious code in solana-graphql-playground (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 293a02fa1726046ea481def165e8c209dc7e6e1b108bc997d12977ecd4e613f7 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

IBM WebSphere Application Server Liberty 20.0.0.6 < 24.0.0.12 DoS (7174997)

The version of IBM WebSphere Application Server Liberty running on the remote host is affected by a DoS vulnerability as referenced in the 7174997 advisory. - GraphQL Java aka graphql-java before 21.5 does not properly consider ExecutableNormalizedFields ENFs as part of preventing denial of servi...

Autodesk: Insecure Direct Object Reference (IDOR) in GraphQL deleteProfileImages Mutation

The Insecure Direct Object Reference IDOR vulnerability was discovered in the GraphQL deleteProfileImages mutation of the Autodesk User Profile. The vulnerability could have allowed an attacker to delete another user's photo through the "id" parameter. Autodesk has addressed the vulnerability...

Security Bulletin: IBM WebSphere Application Server Liberty , which is bundled with IBM Cloud Pak for Applications, is vulnerable to a denial of service due to GraphQL Java (CVE-2024-40094)

Summary There is a vulnerability in the GraphQL Java library used by IBM WebSphere Application Server Liberty, which is bundled with IBM Cloud Pak for Applications, with the mpGraphQL-1.0 or mpGraphQL-2.0 feature enabled. Vulnerability Details Refer to the security bulletins listed in the...

Security Bulletin: IBM WebSphere Application Server Liberty is vulnerable to a denial of service due to GraphQL Java (CVE-2024-40094)

Summary There is a vulnerability in the GraphQL Java library used by IBM WebSphere Application Server Liberty with the mpGraphQL-1.0 or mpGraphQL-2.0 feature enabled. Vulnerability Details CVEID:CVE-2024-40094 DESCRIPTION: GraphQL Java aka graphql-java is vulnerable to a denial of service, caused...

Security Bulletin: IBM WebSphere Application Server Liberty, which is bundled with IBM WebSphere Hybrid Edition, is vulnerable to a denial of service due to GraphQL Java (CVE-2024-40094)

Summary There is a vulnerability in the GraphQL Java library used by IBM WebSphere Application Server Liberty, which is bundled with IBM WebSphere Hybrid Edition, with the mpGraphQL-1.0 or mpGraphQL-2.0 feature enabled. Vulnerability Details Refer to the security bulletins listed in the...

Security Bulletin: There is a vulnerability in GraphQL Java used by IBM Maximo Asset Management application (CVE-2024-40094)

Summary There is a vulnerability in GraphQL Java used by IBM Maximo Asset Management application CVE-2024-40094 Vulnerability Details CVEID:CVE-2024-40094 DESCRIPTION: GraphQL Java aka graphql-java is vulnerable to a denial of service, caused by the failure to properly consider...