CVE-2023-0921 Allocation of Resources Without Limits or Throttling in GitLab

A lack of length validation in GitLab CE/EE affecting all versions from 8.3 before 15.10.8, 15.11 before 15.11.7, and 16.0 before 16.0.2 allows an authenticated attacker to create a large Issue description via GraphQL which, when repeatedly requested, saturates CPU usage...

GitLab 8.3 < 15.10.8 / 15.11 < 15.11.7 / 16.0 < 16.0.2 (CVE-2023-0921)

The version of GitLab installed on the remote host is affected by a vulnerability, as follows: - A lack of length validation in GitLab CE/EE affecting all versions from 8.3 before 15.10.8, 15.11 before 15.11.7, and 16.0 before 16.0.2 allows an authenticated attacker to create a large Issue...

Internet Bug Bounty: [CVE-2023-22799] Possible ReDoS based DoS vulnerability in GlobalID

A ReDoS-based DoS vulnerability was discovered in the GlobalID gem, affecting versions 0.2.1 and above. Crafted input could cause the regular expression engine to consume excessive processing time, leading to a denial of service. The issue has been fixed in version 1.0.1...

CSRF on /api/graphql query executing the mutations through GET requests

Description Mutations are saveRecord or createProcess queries used in Graphql. SuiteCRM prevents CSRF in this functionality by sending a POST request with a X-Xsrf-Token header. the bug here is that, when we send a GET request, the backend does not expect the X-Xsrf-Token header. Using this, an...

Security Bulletin: IBM WebSphere Application Server Liberty is vulnerable to a denial of service due to GraphQL Java (CVE-2023-28867)

Summary There is a vulnerability in the GraphQL Java library used by IBM WebSphere Application Server Liberty when the feature mpGraphQL-1.0 or mpGraphQL-2.0 is enabled. This has been addressed in the remediation section. Vulnerability Details CVEID:CVE-2023-28867 DESCRIPTION: GraphQL Java is...

The vulnerability of the Git-based software platform for collaborative code development on GitLab arises from the improper assignment of permissions to critical resources. This allows a violator to gain unauthorized access to protected information.

The vulnerability of the Git-based software platform for collaborative code development on GitLab is related to the improper assignment of permissions for a critical resource during the processing of GraphQL endpoints. Exploiting this vulnerability can allow an attacker, operating remotely, to ga...

CVE-2023-33796

A vulnerability in Netbox v3.5.1 allows unauthenticated attackers to execute queries against the GraphQL database, granting them access to sensitive data stored in the database. NOTE: the vendor disputes this because the reporter's only query was for the schema of the API, which is public; querie...

CVE-2023-33796

A vulnerability in Netbox v3.5.1 allows unauthenticated attackers to execute queries against the GraphQL database, granting them access to sensitive data stored in the database. NOTE: the vendor disputes this because the reporter's only query was for the schema of the API, which is public; querie...

CVE-2023-33796

A vulnerability in Netbox v3.5.1 allows unauthenticated attackers to execute queries against the GraphQL database, granting them access to sensitive data stored in the database. NOTE: the vendor disputes this because the reporter's only query was for the schema of the API, which is public; querie...

Design/Logic Flaw

A vulnerability in Netbox v3.5.1 allows unauthenticated attackers to execute queries against the GraphQL database, granting them access to sensitive data stored in the database. NOTE: the vendor disputes this because the reporter's only query was for the schema of the API, which is public; querie...

NetBox 安全漏洞

NetBox is a Django, PostgreSql based tool for IP Address Management IPAM and Data Center Infrastructure Management DCIM from the NetBox community. A security vulnerability exists in NetBox version v3.5.1, which stems from a vulnerability that allows an unauthenticated attacker to execute queries...

CVE-2023-33796

CVE-2023-33796 concerns NetBox v3.5.1, where unauthenticated attackers could issue queries against the GraphQL database and potentially access sensitive data. The core issue is described as a GraphQL access/permission gap that could expose data stored in the NetBox GraphQL layer; vendor disputes ...

CVE-2023-33796

A vulnerability in Netbox v3.5.1 allows unauthenticated attackers to execute queries against the GraphQL database, granting them access to sensitive data stored in the database. NOTE: the vendor disputes this because the reporter's only query was for the schema of the API, which is public; querie...

This Week in Spring - May 23rd, 2023

Hi, Spring fans! Welcome to another installment of This Week in Spring! It's May 23rd and, famously, nothing major has happened in the last week OH WAIT WE RELEASED SPRING BOOT 3.1! Have you checked it out yet? It's dope. I did a Spring Tips installment looking at some of its features here that y...

Security Bulletin: Open Source Dependency Vulnerability

Summary IBM Edge Application Manager 4.5 has resolved the vulnerability. Vulnerability Details IBM X-Force ID: 239925 DESCRIPTION: Apollo GraphQL Apollo Server is vulnerable to web cache poisoning, caused by improper handling of cache-control response header. By modifying HTTP request headers, an...

CVE-2023-2478

An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.4 before 15.9.7, all versions starting from 15.10 before 15.10.6, all versions starting from 15.11 before 15.11.2. Under certain conditions, a malicious unauthorized GitLab user may use a GraphQL endpoint to atta...

Design/Logic Flaw

An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.4 before 15.9.7, all versions starting from 15.10 before 15.10.6, all versions starting from 15.11 before 15.11.2. Under certain conditions, a malicious unauthorized GitLab user may use a GraphQL endpoint to atta...

CVE-2023-2478

An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.4 before 15.9.7, all versions starting from 15.10 before 15.10.6, all versions starting from 15.11 before 15.11.2. Under certain conditions, a malicious unauthorized GitLab user may use a GraphQL endpoint to atta...

CVE-2023-2478

An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.4 before 15.9.7, all versions starting from 15.10 before 15.10.6, all versions starting from 15.11 before 15.11.2. Under certain conditions, a malicious unauthorized GitLab user may use a GraphQL endpoint to atta...

CVE-2023-2478

An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.4 before 15.9.7, all versions starting from 15.10 before 15.10.6, all versions starting from 15.11 before 15.11.2. Under certain conditions, a malicious unauthorized GitLab user may use a GraphQL endpoint to atta...