CVE-2023-22477

Mercurius is a GraphQL adapter for Fastify. Any users of Mercurius until version 10.5.0 are subjected to a denial of service attack by sending a malformed packet over WebSocket to /graphql. This issue was patched in 940. As a workaround, users can disable subscriptions...

CVE-2023-22477 Mercurius is vulnerable to denial of service (DoS) when using subscriptions

Mercurius is a GraphQL adapter for Fastify. Any users of Mercurius until version 10.5.0 are subjected to a denial of service attack by sending a malformed packet over WebSocket to /graphql. This issue was patched in 940. As a workaround, users can disable subscriptions...

CVE-2023-22477 Mercurius is vulnerable to denial of service (DoS) when using subscriptions

Mercurius is a GraphQL adapter for Fastify. Any users of Mercurius until version 10.5.0 are subjected to a denial of service attack by sending a malformed packet over WebSocket to /graphql. This issue was patched in 940. As a workaround, users can disable subscriptions...

CVE-2023-22477

Summary: CVE-2023-22477 affects Mercurius (GraphQL adapter for Fastify) prior to v10.5.0. A malformed WebSocket packet sent to "/graphql" can cause a denial of service. The issue is documented in multiple sources and was patched in PR #940, with the fix released in v11.5.0 (and v8.13.2 in some br...

CVE-2023-22477 Mercurius is vulnerable to denial of service (DoS) when using subscriptions

Mercurius is a GraphQL adapter for Fastify. Any users of Mercurius until version 10.5.0 are subjected to a denial of service attack by sending a malformed packet over WebSocket to /graphql. This issue was patched in 940. As a workaround, users can disable subscriptions...

PT-2023-18529 · Mercurius · Mercurius

Name of the Vulnerable Software and Affected Versions: Mercurius versions prior to 11.5.0 Description: Mercurius is a GraphQL adapter for Fastify. The issue allows for a denial of service attack by sending a malformed packet over WebSocket to "/graphql". This can affect any users of Mercurius...

ssh whoami.filippo.io

I updated the whoami.filippo.io dataset over the holidays, so it should be pretty accurate at least for a little while. If you already know what Im talking about, below are some tidbits about how I fetched the new dataset and how its stored. If you dont, stop reading, and run this. Ill wait. $ ss...

Security Bulletin: The IBM® Engineering Lifecycle Engineering products using Liberty are vulnerable to denial of service due to GraphQL Java CVE-2022-37734

Summary The IBM® Engineering Lifecycle Engineering products using Liberty are vulnerable to denial of service due to GraphQL Java, affected features are mpGraphQL-1.0 or mpGraphQL-2.0 . Vulnerability Details Refer to the security bulletins listed in the Remediation/Fixes section Affected Products...

Security Bulletin: GraphQL Denial of Service security vulnerability CVE-2022-37734

Summary GraphQL has a Denial of Service security vulnerability CVE-2022-37734 in GraphQL-java Vulnerability Details CVEID:CVE-2022-37734 DESCRIPTION: GraphQL Java is vulnerable to a denial of service, caused by an uncontrolled resource consumption flaw. By sending a specially-crafted request usin...

This Week in Spring - December 20th, 2022

Hi, Spring fans! Its the 20th of December, 2022 as I write this, which means that by the time we meet again, here on this humble blog, Tuesday next week, Christmas will already have come and gone. Chanukah is already here! Time is sure flying! So, to those of you who celebrate: Happy Chanukah,...

graphql-java: DoS by malicious query

A flaw was found in GraphQL Java. This flaw allows an attacker to use a malicious query in GraphQL to cause a denial of service due to inefficient lexer input validation...

Security Bulletin: Multiple vulnerabilities have been identified in IBM WebSphere Application Server Liberty shipped with IBM Tivoli Netcool Impact (CVE-2022-24839, CVE-2022-37734, CVE-2022-34165)

Summary IBM WebSphere Application Server Liberty is shipped with IBM Tivoli Netcool Impact as part of its server infrastructure. IBM Tivoli Netcool Impact has addressed the applicable CVEs. Vulnerability Details CVEID:CVE-2022-24839 DESCRIPTION: Sparkle Motion Nokogiri is vulnerable to a denial o...

CVE-2022-46792

Hasura GraphQL Engine before 2.15.2 mishandles row-level authorization in the Update Many API for Postgres backends. The fixed versions are 2.10.2, 2.11.3, 2.12.1, 2.13.2, 2.14.1, and 2.15.2. Versions before 2.10.0 are unaffected...

CVE-2022-46792

Hasura GraphQL Engine before 2.15.2 mishandles row-level authorization in the Update Many API for Postgres backends. The fixed versions are 2.10.2, 2.11.3, 2.12.1, 2.13.2, 2.14.1, and 2.15.2. Versions before 2.10.0 are unaffected...

Hardcoded credentials

Hasura GraphQL Engine before 2.15.2 mishandles row-level authorization in the Update Many API for Postgres backends. The fixed versions are 2.10.2, 2.11.3, 2.12.1, 2.13.2, 2.14.1, and 2.15.2. Versions before 2.10.0 are unaffected...

Security Bulletin: IBM PowerVM Novalink is vulnerable because IBM WebSphere Application Server Liberty vulnerable to GraphQL Java is vulnerable to a denial of service, caused by an uncontrolled resource consumption flaw. (CVE-2022-37734)

Summary IBM PowerVM Novalink is vulnerable because IBM WebSphere Application Server Liberty vulnerable to GraphQL Java is vulnerable to a denial of service, caused by an uncontrolled resource consumption flaw. By sending a specially-crafted request using Directive overloading, a remote attacker...

CVE-2022-46792

Hasura GraphQL Engine before 2.15.2 mishandles row-level authorization in the Update Many API for Postgres backends. The fixed versions are 2.10.2, 2.11.3, 2.12.1, 2.13.2, 2.14.1, and 2.15.2. Versions before 2.10.0 are unaffected...

PT-2022-27980 · Hasura · Hasura Graphql Engine

Name of the Vulnerable Software and Affected Versions: Hasura GraphQL Engine versions prior to 2.10.0 are not affected, but versions from 2.10.0 through 2.15.1 are affected, excluding fixed versions 2.10.2, 2.11.3, 2.12.1, 2.13.2, 2.14.1, and 2.15.2. To simplify, the affected versions are: Hasura...

CVE-2022-46792

Hasura GraphQL Engine CVE-2022-46792 affects Postgres backends via the Update Many API where row-level authorization is mishandled in versions up to 2.15.2. The issue does not affect versions before 2.10.0. Fixed releases are 2.10.2, 2.11.3, 2.12.1, 2.13.2, 2.14.1, and 2.15.2. The CVE’s impact is...

Hasura GraphQL Engine 安全漏洞

Hasura GraphQL Engine is a very fast GraphQL server from Hasura open source. A security vulnerability exists in Hasura GraphQL Engine versions prior to 2.15.2, which stems from incorrectly handling Postgres backend authorization in the Update Many API...