Server Side Request Forgery (SSRF)

wp-graphql/wp-graphql is vulnerable to Server Side Request Forgery SSRF. The vulnerability exists due to executable paths in GraphQL queries like createMediaItem, which allows authenticated users to get unauthorized access to servers, thus jeopardizing server security...

WPGraphQL Plugin vulnerable to Server Side Request Forgery (SSRF)

Impact Users with capabilities to upload media editors and above are succeptible to SSRF Server-Side Request Forgery when executing the createMediaItem Mutation. Authenticated users making GraphQL requests that execute the createMediaItem could pass executable paths in the mutations filePath...

GHSA-CFH4-7WQ9-6PGG WPGraphQL Plugin vulnerable to Server Side Request Forgery (SSRF)

Impact Users with capabilities to upload media editors and above are succeptible to SSRF Server-Side Request Forgery when executing the createMediaItem Mutation. Authenticated users making GraphQL requests that execute the createMediaItem could pass executable paths in the mutations filePath...

Security Bulletin: There is a vulnerability in GraphQL used by IBM Maximo Asset Management (CVE-2023-28867)

Summary There is a vulnerability in GraphQL used by IBM Maximo Asset Management Vulnerability Details CVEID:CVE-2023-28867 DESCRIPTION: GraphQL Java is vulnerable to a denial of service, caused by a stack-based buffer overflow. By sending a specially crafted GraphQL query, a remote attacker could...

Moderate: Red Hat Security Advisory: Red Hat build of Quarkus 2.13.8 release and security update

An update is now available for Red Hat build of Quarkus. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability. For more information...

Security Bulletin: There is a vulnerability in GraphQL Java used by IBM Maximo Manage application in IBM Maximo Application Suite (CVE-2023-28867)

Summary There is a vulnerability in GraphQL Java used by IBM Maximo Manage application in IBM Maximo Application Suite. Vulnerability Details CVEID:CVE-2023-28867 DESCRIPTION: GraphQL Java is vulnerable to a denial of service, caused by a stack-based buffer overflow. By sending a specially crafte...

HackerOne: An attacker can submit a Pentest Opportunity and change the status of the opportunity from submitted to in_review or reviewed

A vulnerability was found where users could create and modify the status of pentest opportunities without going through the intended review process...

graphql-java: crafted GraphQL query causes stack consumption

A flaw was found in GraphQL Java. This issue may allow a malicious user to send a crafted GraphQL query that causes stack consumption, causing a denial of service...

Important: Red Hat Security Advisory: Service Registry (container images) release and security update [2.4.3 GA]

An update to the images for Red Hat Integration - Service Registry is now available from the Red Hat Container Catalog. The purpose of this text-only errata is to inform you about the security issues fixed in this release. Red Hat Product Security has rated this update as having a security impact...

Using Spring for GraphQL with Spring Data Neo4j

Introduction This is a guest blog post by Gerrit Meier from Neo4j who maintains the Spring Data Neo4j module. A few weeks ago version 1.2.0 of Spring for GraphQL was released with a bunch of new features. This also includes even better integration with Spring Data modules. Motivated by those...

GraphQL vs gRPC: Which One Creates More Secure APIs?

Learn about the security capabilities of GraphQL and gRPC, how they perform authentication/authorization, and how they compare to REST. In addition, discover common attack vectors for both API frameworks and how to prevent them...

Security Bulletin: IBM WebSphere Application Server Liberty, which is bundled with IBM Cloud Pak for Applications, is vulnerable to a denial of service due to GraphQL Java (CVE-2023-28867)

Summary IBM WebSphere Application Server Liberty, which is bundled with IBM Cloud Pak for Applications, is vulnerable to a denial of service due to GraphQL Java CVE-2023-28867 Vulnerability Details Refer to the security bulletins listed in the Remediation/Fixes section Affected Products and...

Security Bulletin: IBM WebSphere Application Server Liberty, which is bundled with IBM WebSphere Hybrid Edition, is vulnerable to a denial of service due to GraphQL Java (CVE-2023-28867)

Summary IBM WebSphere Application Server Liberty, which is bundled with IBM WebSphere Hybrid Edition, is vulnerable to a denial of service due to GraphQL Java CVE-2023-28867 Vulnerability Details Refer to the security bulletins listed in the Remediation/Fixes section Affected Products and Version...

Security Bulletin: There is a vulnerability in GraphQL used by IBM Maximo Asset Management (CVE-2022-37734)

Summary There is a vulnerability in GraphQL used by IBM Maximo Asset Management. Vulnerability Details CVEID:CVE-2022-37734 DESCRIPTION: GraphQL Java is vulnerable to a denial of service, caused by an uncontrolled resource consumption flaw. By sending a specially-crafted request using Directive...

Input validation

A lack of length validation in GitLab CE/EE affecting all versions from 8.3 before 15.10.8, 15.11 before 15.11.7, and 16.0 before 16.0.2 allows an authenticated attacker to create a large Issue description via GraphQL which, when repeatedly requested, saturates CPU usage...

CVE-2023-0921

A lack of length validation in GitLab CE/EE affecting all versions from 8.3 before 15.10.8, 15.11 before 15.11.7, and 16.0 before 16.0.2 allows an authenticated attacker to create a large Issue description via GraphQL which, when repeatedly requested, saturates CPU usage...

UBUNTU-CVE-2023-0921

A lack of length validation in GitLab CE/EE affecting all versions from 8.3 before 15.10.8, 15.11 before 15.11.7, and 16.0 before 16.0.2 allows an authenticated attacker to create a large Issue description via GraphQL which, when repeatedly requested, saturates CPU usage...

PT-2023-16619 · Gitlab · Gitlab Ce/Ee +1

Name of the Vulnerable Software and Affected Versions: GitLab CE/EE versions 8.3 through 15.10.7 GitLab CE/EE versions 15.11 through 15.11.6 GitLab CE/EE versions 16.0 through 16.0.1 Description: A lack of length validation in GitLab CE/EE allows an authenticated attacker to create a large Issue...

CVE-2023-0921 Allocation of Resources Without Limits or Throttling in GitLab

A lack of length validation in GitLab CE/EE affecting all versions from 8.3 before 15.10.8, 15.11 before 15.11.7, and 16.0 before 16.0.2 allows an authenticated attacker to create a large Issue description via GraphQL which, when repeatedly requested, saturates CPU usage...

CVE-2023-0921 Allocation of Resources Without Limits or Throttling in GitLab

A lack of length validation in GitLab CE/EE affecting all versions from 8.3 before 15.10.8, 15.11 before 15.11.7, and 16.0 before 16.0.2 allows an authenticated attacker to create a large Issue description via GraphQL which, when repeatedly requested, saturates CPU usage...