PT-2022-26109 · Ez Systems · Ezplatform-Graphql

Name of the Vulnerable Software and Affected Versions: ezplatform-graphql versions prior to 1.0.13 ezplatform-graphql versions prior to 2.3.12 Description: The issue concerns the exposure of password hashes of users who have created or modified content, typically administrators and editors, throu...

Ibexa GraphQL Bundle 安全漏洞

Ibexa GraphQL Bundle is an Ibexa open source GraphQL server for the eZ platform, open source Symfony CMS. A security vulnerability exists in Ibexa GraphQL Bundle versions prior to 2.3.12 and 1.0.13, which stems from the fact that its insecure storage of sensitive information results in...

CVE-2022-41876

CVE-2022-41876 affects ezplatform-graphql (Ibexa DXP and Ibexa Open Source). The vulnerability is caused by insecure storage that allows unauthenticated GraphQL queries to expose user password hashes (typically for admins/editors). Patches exist in Ibexa/DXP versions 2.3.12 and 1.0.13 on the 1.X ...

CVE-2022-41876 ezplatform-graphql GraphQL queries can expose password hashes

ezplatform-graphql is a GraphQL server implementation for Ibexa DXP and Ibexa Open Source. Versions prior to 2.3.12 and 1.0.13 are subject to Insecure Storage of Sensitive Information. Unauthenticated GraphQL queries for user accounts can expose password hashes of users that have created or...

CVE-2022-41876 ezplatform-graphql GraphQL queries can expose password hashes

ezplatform-graphql is a GraphQL server implementation for Ibexa DXP and Ibexa Open Source. Versions prior to 2.3.12 and 1.0.13 are subject to Insecure Storage of Sensitive Information. Unauthenticated GraphQL queries for user accounts can expose password hashes of users that have created or...

CVE-2022-39382

Keystone is a headless CMS for Node.js — built with GraphQL and React.@keystone-6/[email protected] || 3.0.1 users that use NODEENV to trigger security-sensitive functionality in their production builds are vulnerable to NODEENV being inlined to "development" for user code, irrespective of what your...

Design/Logic Flaw

Keystone is a headless CMS for Node.js — built with GraphQL and React.@keystone-6/email protected || 3.0.1 users that use NODEENV to trigger security-sensitive functionality in their production builds are vulnerable to NODEENV being inlined to "development" for user code, irrespective of what you...

CVE-2022-39382 NODE_ENV in Keystone defaults to development with esbuild

Keystone is a headless CMS for Node.js — built with GraphQL and React.@keystone-6/[email protected] || 3.0.1 users that use NODEENV to trigger security-sensitive functionality in their production builds are vulnerable to NODEENV being inlined to "development" for user code, irrespective of what your...

CVE-2022-39382

Keystone (Node.js) vulnerability CVE-2022-39382 affects @keystone-6/core versions 3.0.0 and 3.0.1. The issue arises when NODE_ENV is inlined to the string "development" for user code in production builds, potentially triggering security‑sensitive functionality unintentionally. The vulnerability i...

Security Bulletin: IBM WebSphere Application Server Liberty, which is bundled in IBM Cloud Pak for Applications, is vulnerable to denial of service due to GraphQL Java (CVE-2022-37734)

Summary IBM WebSphere Application Server Liberty, which is bundled in IBM Cloud Pak for Applications, is vulnerable to denial of service due to GraphQL Java CVE-2022-37734 Vulnerability Details Refer to the security bulletins listed in the Remediation/Fixes section Affected Products and Versions...

Security Bulletin: IBM WebSphere Application Server Liberty, which is bundled with IBM WebSphere Hybrid Edition, is vulnerable to denial of service due to GraphQL Java (CVE-2022-37734)

Summary IBM WebSphere Application Server Liberty, which is bundled with IBM WebSphere Hybrid Edition, is vulnerable to denial of service due to GraphQL Java CVE-2022-37734 Vulnerability Details Refer to the security bulletins listed in the Remediation/Fixes section Affected Products and Versions...

@a11ywatch/a11ywatch (>=0.1.0 <=0.1.65), @a11ywatch/core (>=0.4.52 <=0.5.158) +11 more potentially affected by unknown CVE via apollo-server-core (>=3.10.0 <=3.10.4)

apollo-server-core NPM version =3.10.0, =0.1.0, =0.4.52, =0.1.0-alpha.0, =0.1.0-alpha.1, =0.1.0-alpha.0, =0.1.0-alpha.0, =0.1.0-alpha.0, =10.7.1, =9.0.0, =2.0.0-beta.7, =1.0.0, =4.13.1, =1.3.0-beta.2, =2.0.0-beta.2 Source cves: unknown CVE Source advisory: OSV:GHSA-8R69-3CVP-WXC3...

Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server Liberty shipped with IBM Business Automation Workflow (CVE-2022-37734)

Summary WebSphere Application Server Liberty is shipped as part of IBM Business Automation Workflow containers and as part of the optional components Process Federation Server since 8.5.6, and User Management Service since 18.0.0.1 in IBM Business Automation Workflow traditional. Information abou...

Security Bulletin: IBM WebSphere Application Server Liberty is vulnerable to denial of service due to GraphQL Java (CVE-2022-37734)

Summary There is a vulnerability in the GraphQL Java library used by IBM WebSphere Application Server Liberty with the mpGraphQL-1.0 or mpGraphQL-2.0 feature enabled. This has been addressed. Vulnerability Details CVEID:CVE-2022-37734 DESCRIPTION: GraphQL Java is vulnerable to a denial of service...

This Week in Spring - October 25th, 2022

Hi, Spring fans! Welcome to another installment of This Week in Spring! When last we spoke, I was in Las Vegas, NV, for the JavaOne show. It was amazing! Im in sunny Singapore, then off to Malaysia and Thailand. Its the first time Ive been to any of these places since 2019! How good it is to be...

This Week in Spring - October 18th, 2022

Hi, Spring fans! Howre you doin? Im doin alright! Last week I was in Antwerp, Belgium, for the amazing Devoxx BE show. I did a presentation with my friend and hero James Ward on Spring and Kotlin that was voted third most-liked talk at a show with more than 250 speakers! That was a personal caree...

GHSA-2P3C-P3QW-69R4 The graphql-upload library included in Apollo Server 2 is vulnerable to CSRF mutations

Impact The graphql-upload npm package can execute GraphQL operations contained in content-type: multipart/form-data POST requests. Because they are POST requests, they can contain GraphQL mutations. Because they use content-type: multipart/form-data, they can be "simple requests" which are not...

The graphql-upload library included in Apollo Server 2 is vulnerable to CSRF mutations

Impact The graphql-upload npm package can execute GraphQL operations contained in content-type: multipart/form-data POST requests. Because they are POST requests, they can contain GraphQL mutations. Because they use content-type: multipart/form-data, they can be "simple requests" which are not...

PT-2022-28174 · Apollo · Apollo Server 2 +1

Name of the Vulnerable Software and Affected Versions: Apollo Server 2 versions prior to 2.25.4 Apollo Server versions that manually integrate with graphql-upload and do not have CSRF prevention enabled Description: The graphql-upload npm package can execute GraphQL operations contained in...

CVE-2022-39275

Saleor is a headless, GraphQL commerce platform. In affected versions some GraphQL mutations were not properly checking the ID type input which allowed to access database objects that the authenticated user may not be allowed to access. This vulnerability can be used to expose the following...