Denial of service through batched queries in GraphQL

This report is not public...

Denial Of Service (DoS)

Mattermost is vulnerable to Denial of Service DoS. The vulnerability is due to the failure to prevent detailed error messages from being displayed in Playbooks, which allows an attacker to generate a large GraphQL response. This can lead to application crashes when a specially crafted request is...

CVE-2024-6861

A disclosure of sensitive information flaw was found in foreman via the GraphQL API. If the introspection feature is enabled, it is possible for attackers to retrieve sensitive admin authentication keys which could result in a compromise of the entire product's API...

CVE-2024-6861 Foreman: foreman: oauth secret exposure via unauthenticated access to the graphql api

A disclosure of sensitive information flaw was found in foreman via the GraphQL API. If the introspection feature is enabled, it is possible for attackers to retrieve sensitive admin authentication keys which could result in a compromise of the entire product's API...

CVE-2024-6861

CVE-2024-6861 affects Foreman via GraphQL: if introspection is enabled, an attacker can retrieve sensitive admin authentication keys, risking full API compromise. Affected context: Foreman GraphQL API; root cause is exposure of admin keys through introspection. Mitigation repeatedly recommended a...

CVE-2024-6861 Foreman: foreman: oauth secret exposure via unauthenticated access to the graphql api

A disclosure of sensitive information flaw was found in foreman via the GraphQL API. If the introspection feature is enabled, it is possible for attackers to retrieve sensitive admin authentication keys which could result in a compromise of the entire product's API...

Information Disclosure

github.com/graph-gophers/graphql-go is vulnerable to Information Disclosure. The vulnerability is due to improper access controls on the GraphQL introspection query, allowing unauthorized users to access a complete list of available queries and mutations...

SUSE CVE-2024-50312

A vulnerability was found in GraphQL due to improper access controls on the GraphQL introspection query. This flaw allows unauthorized users to retrieve a comprehensive list of available queries and mutations. Exposure to this flaw increases the attack surface, as it can facilitate the discovery ...

Mattermost Server 9.5.x < 9.5.9 / 9.10.x < 9.10.2 / 9.11.x < 9.11.1 Multiple Vulnerabilities

The version of Mattermost Server installed on the remote host is prior to 9.5.9, 9.10.2, or 9.11.1. It is, therefore, affected by multiple vulnerabilities. - Mattermost versions 9.10.x = 9.10.2, 9.11.x = 9.11.1, 9.5.x = 9.5.9 fail to sanitize user inputs in the frontend that are used for...

GHSA-762V-RQ7Q-FF97 Mattermost Server vulnerable to application crash from attacker-generated large response

Mattermost versions 9.10.x = 9.10.2, 9.11.x = 9.11.1 and 9.5.x = 9.5.9 fail to prevent detailed error messages from being displayed in Playbooks which allows an attacker to generate a large response and cause an amplified GraphQL response which in turn could cause the application to crash by...

Mattermost Server vulnerable to application crash from attacker-generated large response

Mattermost versions 9.10.x = 9.10.2, 9.11.x = 9.11.1 and 9.5.x = 9.5.9 fail to prevent detailed error messages from being displayed in Playbooks which allows an attacker to generate a large response and cause an amplified GraphQL response which in turn could cause the application to crash by...

CVE-2024-47401

Mattermost versions 9.10.x = 9.10.2, 9.11.x = 9.11.1 and 9.5.x = 9.5.9 fail to prevent detailed error messages from being displayed in Playbooks which allows an attacker to generate a large response and cause an amplified GraphQL response which in turn could cause the application to crash by...

CVE-2024-47401

Mattermost versions 9.10.x = 9.10.2, 9.11.x = 9.11.1 and 9.5.x = 9.5.9 fail to prevent detailed error messages from being displayed in Playbooks which allows an attacker to generate a large response and cause an amplified GraphQL response which in turn could cause the application to crash by...

CVE-2024-47401 DoS via Amplified GraphQL Response in Playbooks

Mattermost versions 9.10.x = 9.10.2, 9.11.x = 9.11.1 and 9.5.x = 9.5.9 fail to prevent detailed error messages from being displayed in Playbooks which allows an attacker to generate a large response and cause an amplified GraphQL response which in turn could cause the application to crash by...

CVE-2024-47401

CVE-2024-47401 affects Mattermost Playbooks in versions 9.10.x up to 9.10.2, 9.11.x up to 9.11.1, and 9.5.x up to 9.5.9. The issue arises because the product does not prevent detailed error messages from being displayed, enabling an attacker to generate a large response and trigger an amplified G...

CVE-2024-47401 DoS via Amplified GraphQL Response in Playbooks

Mattermost versions 9.10.x = 9.10.2, 9.11.x = 9.11.1 and 9.5.x = 9.5.9 fail to prevent detailed error messages from being displayed in Playbooks which allows an attacker to generate a large response and cause an amplified GraphQL response which in turn could cause the application to crash by...

Denial Of Service (DoS)

Aimeos is vulnerable to Denial-of-Service. The vulnerability is due to insufficient handling in the Aimeos GraphQL API admin interface, specifically affecting all SaaS and marketplace setups...

Mattermost 安全漏洞

Mattermost is an open source collaboration platform from Mattermost, Inc. in the United States. A security vulnerability in Mattermost version 9.10.2 and prior 9.10.x, version 9.11.1 and prior 9.11.x, and version 9.5.9 and prior 9.5.x stems from an inability to prevent the display of detailed err...

This Week in Spring - October 29th, 2024

Hi, Spring fans! How're things? It's almost Halloween! I'm so excited! I'm going as a PHP program. Boooooooo...t. I'm writing this from the amazing Vaadin Create conference in Frankfurt, Germany, about to do my keynote for an amazing, Spring-loving audience here. So, without further ado, let's di...

GO-2024-3211 Graphql: information disclosure via graphql introspection in openshift in github.com/openshift/console

Graphql: information disclosure via graphql introspection in openshift in github.com/openshift/console...