RUSTSEC-2022-0038 Denial of service on deeply nested fragment requests

Deeply nested fragments in a GraphQL request may cause a stack overflow in the server...

Denial of service on deeply nested fragment requests

Deeply nested fragments in a GraphQL request may cause a stack overflow in the server...

This Week in Spring - July 26th, 2022

Aloha, Spring fans! Im on vacation, reporting to you from the paradise-like island of Maui, Hawaii, and hoping that youre having a wonderful day! My family and I love Hawaii. Its brimming with beauty and serenity, and while the island of Maui, in the state of Hawaii, is very small, the islands ar...

WPGraphQL WooCommerce <= 0.11.0 - Unauthenticated Coupon Codes Disclosure

The plugin does not prevent unauthenticated attackers from enumerating a shop's coupon codes and values via GraphQL. PoC The vulnerability exists due to the plugin only preventing users from leaking coupons using the "coupons" aggregate field, and not the regular "coupon" field. Given a valid...

WPGraphQL WooCommerce <= 0.11.0 - Unauthenticated Coupon Codes Disclosure

The plugin does not prevent unauthenticated attackers from enumerating a shop's coupon codes and values via GraphQL. The vulnerability exists due to the plugin only preventing users from leaking coupons using the "coupons" aggregate field, and not the regular "coupon" field. Given a valid coupon...

apollo-gateway-rs (>=0.7.5 <=0.7.6), aqlgen (>=0.1.0 <=0.8.0) +61 more potentially affected by unknown CVE via async-graphql (>=1.13.4 <=4.0.16)

async-graphql CARGO version =1.13.4, =0.7.5, =0.1.0, =0.1.0, =0.1.0, =0.0.1-alpha+3, =0.1.0, =2.9.13, =0.1.0-beta.0, =2.9.12, =0.2.0, =1.14.10, =0.1.0, =1.0.0, =4.0.16 and more Source cves: unknown CVE Source advisory: OSV:RUSTSEC-2022-0037...

Denial of service on deeply nested fragment requests

Deeply nested fragments in a GraphQL request may cause a stack overflow in the server...

RUSTSEC-2022-0037 Denial of service on deeply nested fragment requests

Deeply nested fragments in a GraphQL request may cause a stack overflow in the server...

The vulnerability of the GraphQL API implementation of the Red Hat Advanced Cluster Security (RHACS) for Kubernetes allows a perpetrator to increase their privileges and gain unauthorized access to protected information.

The vulnerability of the GraphQL API implementation of the Red Hat Advanced Cluster Security RHACS for Kubernetes lies in the insufficient protection of sensitive data. Exploiting this vulnerability can allow an attacker to enhance their privileges and gain unauthorized access to protected...

GO-2022-0300 Panic via malicious inputs in github.com/graph-gophers/graphql-go

Malicious inputs can cause a panic. A maliciously crafted input can cause a stack overflow and panic. Any user with access to the GraphQL can send such a query. This issue only occurs when using the graphql.MaxDepth schema option which is highly recommended in most cases...

CVE-2022-1902

A flaw was found in the Red Hat Advanced Cluster Security for Kubernetes. Notifier secrets were not properly sanitized in the GraphQL API. This flaw allows authenticated ACS users to retrieve Notifiers from the GraphQL API, revealing secrets that can escalate their privileges...

CrackQL - GraphQL Password Brute-Force And Fuzzing Utility

CrackQL is a GraphQL password brute-force and fuzzing utility. CrackQL is a versatile GraphQL penetration testing tool that exploits poor rate-limit and cost analysis controls to brute-force credentials and fuzz operations. How it works? CrackQL works by automatically batching a single GraphQL...

GraphQL vs gRPC: Which One Creates More Secure APIs?

Learn about the security capabilities of GraphQL and gRPC, how they perform authentication/authorization, and how they compare to REST. In addition, discover common attack vectors for both API frameworks and how to prevent them...

This Week in Spring - July 5th, 2022

Hi, Spring fans! Welcome to another installment of This Week in Spring! This weeks all sorts of weird for me. Its Tuesday! But here in the US we just celebrated the 4th of July, and I, like many Americans, took a long weekend. Took some time with the family to do a little road trip up north to...

This Week in Spring - June 28th, 2022

Hi, Spring fans! Welcome to another installment of This Week in Spring! Im writing this from the Big Apple, New York City! Im here for the SpringOne Tour 2022 NYC event. This is my first time back in New York City since before the pandemic and it has been so much fun. Ive been catching up with...

Spring Tips: Learn Spring for GraphQL (the last two episodes: parts 7 and 8)

Hi, Spring fans! In thi^^^ these installments, we continue our series introducing the Spring for GraphQL project. This series features Spring for GraphQL lead Rossen Stoyanchev @rstoya05 - whose work you may know from basically everything in the wide and wonderful world of Springdom having to do...

Malicious code in x3-stock-graphql-demo (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 80cd5e1c9d72642b5cf61b5bf0d49e2b32267885c173a08e5bb0ef28124885e1 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2022-7260 Malicious code in x3-stock-graphql-demo (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 80cd5e1c9d72642b5cf61b5bf0d49e2b32267885c173a08e5bb0ef28124885e1 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in @sfcc-core/core-graphql (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 9a0a9e189f0e17b4410de77d0ad249257289e7c84350015968cae5a1e1320f17 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in @fbsystem/figma-graphql (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware ffcdcbc9429c0fa805533c9d10c14de74d0e13ff69d006e033802a11ac00733b Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...