Security Bulletin: Several Security Vulnerabilities were discovered in IBM Security Directory Suite. (CVE-2023-24998, CVE-2023-28867, CVE-2023-0482)

Summary Several vulnerabilities were addressed in WebSphere Application Server Liberty components shipped with the IBM Security Directory Suite Vulnerability Details CVEID:CVE-2023-24998 DESCRIPTION: Apache Commons FileUpload and Tomcat are vulnerable to a denial of service, caused by not limit t...

GraphQL Vulnerabilities and Common Attacks: Seen in the Wild

In our previous blog, we provided an overview of GraphQL security, along with details and examples of common attacks. Building on that foundation, this blog will take a closer look at real-world examples of GraphQL attacks that have recently occurred. We will explore the methods used by attackers...

HackerOne: IDOR Vulnerability at AddTagToAssets operation name

The IDOR vulnerability was discovered in the AddTagToAssets operation name of a GraphQL endpoint. The vulnerability allowed an attacker to obtain the IDs of custom tags created by a victim by decoding the base64-encoded tagId parameter in the request. This revealed the format and pattern of the t...

Denial Of Service (DoS)

com.graphql-java: graphql-java is vulnerable to Denial Of Service DoS. The vulnerability is due to improper handling of ExecutableNormalizedFields ENFs in introspection queries, allowing attackers to send queries that can overwhelm the service and cause it to become unresponsive...

GraphQL Java does not properly consider ExecutableNormalizedFields (ENFs) as part of preventing denial of service

GraphQL Java aka graphql-java before 21.5 does not properly consider ExecutableNormalizedFields ENFs as part of preventing denial of service via introspection queries. 20.9 and 19.11 are also fixed versions...

br.com.m4rc310:br-com-m4rc310-graphql (=1.0.1), br.com.m4rc310:br-com-m4rc310-libs (=1.0.1) +881 more potentially affected by CVE-2024-40094 via com.graphql-java:graphql-java (>=0.0.0-2021-06-27T12-22-33-cd2bab76 <=19.1)

com.graphql-java:graphql-java MAVEN version =0.0.0-2021-06-27T12-22-33-cd2bab76, =6.0.0, =6.0.3, =6.0.0, =6.0.0, =6.0.0, =6.0.0, =6.2.0, =6.0.0, =6.0.0, =6.0.3, =0.1.0, =1.0.0, =1.2.1 and more Source cves: CVE-2024-40094 Source advisory: OSV:GHSA-H9MQ-F6Q5-6C8M...

GHSA-H9MQ-F6Q5-6C8M GraphQL Java does not properly consider ExecutableNormalizedFields (ENFs) as part of preventing denial of service

GraphQL Java aka graphql-java before 21.5 does not properly consider ExecutableNormalizedFields ENFs as part of preventing denial of service via introspection queries. 20.9 and 19.11 are also fixed versions...

CVE-2024-40094

GraphQL Java aka graphql-java before 21.5 does not properly consider ExecutableNormalizedFields ENFs as part of preventing denial of service via introspection queries. 20.9 and 19.11 are also fixed versions...

CVE-2024-40094

GraphQL Java aka graphql-java before 21.5 does not properly consider ExecutableNormalizedFields ENFs as part of preventing denial of service via introspection queries. 20.9 and 19.11 are also fixed versions...

PT-2024-28780

Name of the Vulnerable Software and Affected Versions GraphQL Java versions prior to 21.5 GraphQL Java version 20.9 GraphQL Java version 19.11 Description The issue is related to the improper consideration of ExecutableNormalizedFields ENFs in preventing denial of service via introspection querie...

CVE-2024-40094

GraphQL Java aka graphql-java before 21.5 does not properly consider ExecutableNormalizedFields ENFs as part of preventing denial of service via introspection queries. 20.9 and 19.11 are also fixed versions...

CVE-2024-40094

CVE-2024-40094 relates to GraphQL Java (graphql-java) where versions before 21.5 do not adequately consider ExecutableNormalizedFields to prevent DoS via introspection queries. Publicly documented fixes include 20.9 and 19.11. IBM- and Circl-sourced entries confirm the CVE details and provide rem...

GraphQL Java 安全漏洞

GraphQL Java is a GraphQL Java implementation of the GraphQL Java open source. Query language and server-side runtime for application programming interfaces APIs. A security vulnerability exists in GraphQL Java versions prior to 21.5 that stems from not properly considering...

CVE-2024-40094

GraphQL Java aka graphql-java before 21.5 does not properly consider ExecutableNormalizedFields ENFs as part of preventing denial of service via introspection queries. 20.9 and 19.11 are also fixed versions...

How Can Deliberately Flawed APIs Help In Mastering API Security?

In our recent webinar recent webinar title 'A CISO’s Checklist for Securing APIs and Applications', we delved into the concept of creating an API security playground tailored for both developer and security teams. The core idea revolves around utilizing intentionally vulnerable APIs as training...

How Can Deliberately Flawed APIs Help In Mastering API Security?

In our recent webinar recent webinar title 'A CISO’s Checklist for Securing APIs and Applications', we delved into the concept of creating an API security playground tailored for both developer and security teams. The core idea revolves around utilizing intentionally vulnerable APIs as training...

Two of Wallarm’s Open-source Tools Have Been Accepted into Black Hat Arsenal 2024

We're gearing up with some seriously cool stuff for Black Hat! But first, a little sneak peek - not just one, but TWO of Wallarm's open-source tools will be featured in the Arsenal showcase at Black Hat USA this year. Black Hat Arsenal unites researchers and the open-source community to display...

This Week in Spring - July 16th, 2024

Hi, Spring fans! Welcome to another installment of This Week in Spring! It's the middle of July! I can't believe it! Things have been just rushing by! did you see this awesome talk on observability by Tommy Ludwig and Jonatan Ivanov from Spring IO 2024? What is a ReadWriteLock? Spring for GraphQL...

Denial Of Service (DoS)

Directus is vulnerable to Denial Of Service DoS. The vulnerability is due to field duplication in GraphQL, where an attacker can overwhelm the server by requesting the same field multiple times in a single query, leading to excessive resource consumption and denial of service for legitimate users...

Directus GraphQL Field Duplication Denial of Service (DoS)

Summary A denial of service DoS attack by field duplication in GraphQL is a type of attack where an attacker exploits the flexibility of GraphQL to overwhelm a server by requesting the same field multiple times in a single query. This can cause the server to perform redundant computations and...