CVE-2024-47082 Strawberry GraphQL Cross-Site Request Forgery (CSRF) vulnerability

Strawberry GraphQL is a library for creating GraphQL APIs. Prior to version 0.243.0, multipart file upload support as defined in the GraphQL multipart request specification was enabled by default in all Strawberry HTTP view integrations. This made all Strawberry HTTP view integrations vulnerable ...

CVE-2024-47082

The CVE-2024-47082 entry describes a vulnerability in Strawberry GraphQL where multipart file upload support was enabled by default in HTTP view integrations prior to version 0.243.0, enabling CSRF attacks if CSRF protection was not explicitly enabled. The Django HTTP view integration had a defau...

CVE-2024-47082 Strawberry GraphQL Cross-Site Request Forgery (CSRF) vulnerability

Strawberry GraphQL is a library for creating GraphQL APIs. Prior to version 0.243.0, multipart file upload support as defined in the GraphQL multipart request specification was enabled by default in all Strawberry HTTP view integrations. This made all Strawberry HTTP view integrations vulnerable ...

Strawberry GraphQL 跨站请求伪造漏洞

Strawberry GraphQL is a Python GraphQL library utilizing type annotations in the Strawberry GraphQL open source. A cross-site request forgery vulnerability exists in Strawberry GraphQL versions prior to 0.243.0, which stems from vulnerability to cross-site request forgery CSRF attacks...

PT-2024-32396 · Django +1 · Django +1

Name of the Vulnerable Software and Affected Versions: Strawberry GraphQL versions prior to 0.243.0 Description: The issue concerns Strawberry GraphQL, a library for creating GraphQL APIs. Prior to version 0.243.0, multipart file upload support was enabled by default in all Strawberry HTTP view...

PT-2024-40583 · Graphql · Graphql

Name of the Vulnerable Software and Affected Versions: graphql affected versions not specified Description: The issue is related to a security exception in the graphql schema. Specifically, the problem occurs in the simplePrint function of GraphQLTypeUtil. This function is called multiple times,...

ai.ancf.lmos:arc-graphql-spring-boot-starter (>=0.111.0 <=0.120.0), ai.ancf.lmos:arc-runner (>=0.111.0 <=0.120.0) +1041 more potentially affected by CVE-2024-7254 via com.google.protobuf:protobuf-java (>=4.0.0-rc-1 <=4.27.4)

com.google.protobuf:protobuf-java MAVEN version =4.0.0-rc-1, =0.111.0, =0.111.0, =0.6.5, =0.0.1-alpha24, =0.1.0-M22, =0.1.0-M22, =2.0.0, =2.1.4 - be.vlaanderen.informatievlaanderen.ldes.client:event-stream-properties-fetcher =2.12.0 - be.vlaanderen.informatievlaanderen.ldes.client:ldes-client...

ae.teletronics.nlp:entityextraction (=1.3), ae.teletronics.nlp:w2vec (=1.0) +33756 more potentially affected by CVE-2024-7254 via com.google.protobuf:protobuf-java (>=2.0.3 <=3.25.4)

com.google.protobuf:protobuf-java MAVEN version =2.0.3, =0.1.1, =0.1.1, =0.1.1, =1.4.6, =1.0.0, =0.0.23, =0.25-rc1, =0.25-rc1, =0.25, =0.25, =0.25, =0.25, =1.0.1, =1.2.8 and more Source cves: CVE-2024-7254 Source advisory: OSV:GHSA-735F-PC8J-V9W8...

BIT-GITLAB-2024-4472 Insertion of Sensitive Information into Log File in GitLab

An issue was discovered in GitLab CE/EE affecting all versions starting from 16.5 prior to 17.1.7, starting from 17.2 prior to 17.2.5, and starting from 17.3 prior to 17.3.2, where dependency proxy credentials are retained in graphql Logs...

Fundamentals of GraphQL-specific attacks

GraphQL vs REST APIs Developers are constantly exploring new technologies that can improve the performance, flexibility, and usability of applications. GraphQL is one such technology that has gained significant attention for its ability to fetch data efficiently. Unlike the traditional REST API,...

CVE-2024-4472

An issue was discovered in GitLab CE/EE affecting all versions starting from 16.5 prior to 17.1.7, starting from 17.2 prior to 17.2.5, and starting from 17.3 prior to 17.3.2, where dependency proxy credentials are retained in graphql Logs...

UBUNTU-CVE-2024-4472

An issue was discovered in GitLab CE/EE affecting all versions starting from 16.5 prior to 17.1.7, starting from 17.2 prior to 17.2.5, and starting from 17.3 prior to 17.3.2, where dependency proxy credentials are retained in graphql Logs...

CVE-2024-4472

CVE-2024-4472 affects GitLab CE/EE; vulnerable versions include all from 16.5 up to 17.1.7, 17.2 up to 17.2.5, and 17.3 up to 17.3.2, where dependency proxy credentials are retained in GraphQL logs. The issue’s root cause is credentials leakage in GraphQL log handling. Remediation is to apply the...

CVE-2024-4472 Insertion of Sensitive Information into Log File in GitLab

An issue was discovered in GitLab CE/EE affecting all versions starting from 16.5 prior to 17.1.7, starting from 17.2 prior to 17.2.5, and starting from 17.3 prior to 17.3.2, where dependency proxy credentials are retained in graphql Logs...

CVE-2024-4472 Insertion of Sensitive Information into Log File in GitLab

An issue was discovered in GitLab CE/EE affecting all versions starting from 16.5 prior to 17.1.7, starting from 17.2 prior to 17.2.5, and starting from 17.3 prior to 17.3.2, where dependency proxy credentials are retained in graphql Logs...

CVE-2024-4472

Removed by vendor...

CVE-2024-4472 Insertion of Sensitive Information into Log File in GitLab

An issue was discovered in GitLab CE/EE affecting all versions starting from 16.5 prior to 17.1.7, starting from 17.2 prior to 17.2.5, and starting from 17.3 prior to 17.3.2, where dependency proxy credentials are retained in graphql Logs...

GitLab GraphQL API User Enumeration

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'GitLab GraphQL API User Enumeration', 'Description' = %q This module queries the GitLab GraphQL API without authentication to acquire the list of...

CVE-2024-43414

CVE-2024-43414 affects Apollo Federation components: @apollo/query-planner (v2.0.0–=2.0.0 and &lt;2.8.5) and Apollo Router (

BIT-GITLAB-2024-3127 Improper Access Control in GitLab

An issue has been discovered in GitLab EE affecting all versions starting from 12.5 before 17.1.6, all versions starting from 17.2 before 17.2.4, all versions starting from 17.3 before 17.3.1. Under certain conditions it may be possible to bypass the IP restriction for groups through GraphQL...