Spring for GraphQL 1.0 Release

On behalf of the Spring for GraphQL team and every contributor, it is my pleasure to announce the 1.0 GA release. Its been 10 months since the project was announced and under 2 years since the first commit, unremarkably called "first commit". The project began with the modest goal to replace the...

PT-2022-5135 · Juniper Networks · Juniper

Name of the Vulnerable Software and Affected Versions: Juniper versions prior to 0.15.10 Description: The issue is related to uncontrolled recursion in the Juniper GraphQL server library for Rust, which can result in a program crash. This can be caused by deeply nested fragments in a GraphQL...

This Week in Spring - May 17th, 2022

Hi, Spring fans! Welcome to another installment of This Week in Spring! I am in beautiful Barcelona, Spain, this week, ahead of the upcoming Spring I/O show. I just spent a wonderful week in amazing England, meeting old friends, speaking at Devoxx UK, etc. A Bootiful Podcast: EasyMock contributor...

Remote Code Execution (RCE)

graphql-upload is vulnerable to remote code execution. The vulnerability exists due to a lack of sanitization of file name via the upload function...

CVE-2022-29353

An arbitrary file upload vulnerability in the file upload module of Graphql-upload v13.0.0 allows attackers to execute arbitrary code via a crafted filename...

CVE-2022-29353

An arbitrary file upload vulnerability in the file upload module of Graphql-upload v13.0.0 allows attackers to execute arbitrary code via a crafted filename...

CVE-2022-29353

An arbitrary file upload vulnerability in the file upload module of Graphql-upload v13.0.0 allows attackers to execute arbitrary code via a crafted filename...

Design/Logic Flaw

An arbitrary file upload vulnerability in the file upload module of Graphql-upload v13.0.0 allows attackers to execute arbitrary code via a crafted filename...

CVE-2022-29353

Affected software: Graphql-upload v13.0.0 (Node.js middleware). Vulnerable component: file upload module; root cause: arbitrary file upload via crafted filename enables code execution. Impact: remote code execution with high/critical severity indicators (network vector, no authentication; confide...

CVE-2022-29353

An arbitrary file upload vulnerability in the file upload module of Graphql-upload v13.0.0 allows attackers to execute arbitrary code via a crafted filename...

Graphql-upload 代码问题漏洞

Graphql-upload is a middleware and upload scalar from the individual developer Jayden Seric in Australia. It is used to add support for GraphQL multi-part requests uploading files via queries and mutations to various Node.js Graphql servers. A security vulnerability exists in Graphql-upload versi...

GHSA-W3XG-7Q6M-3XWP Improper Access Control in wp-graphql

The WPGraphQL WordPress plugin before 0.3.5 doesn't properly restrict access to information about other users' roles on the affected site. Because of this, a remote attacker could forge a GraphQL query to retrieve the account roles of every user on the site...

Improper Access Control in wp-graphql

The WPGraphQL WordPress plugin before 0.3.5 doesn't properly restrict access to information about other users' roles on the affected site. Because of this, a remote attacker could forge a GraphQL query to retrieve the account roles of every user on the site...

CVE-2019-25060 WP-GraphQL < 0.3.5 - Improper Access Control

The WPGraphQL WordPress plugin before 0.3.5 doesn't properly restrict access to information about other users' roles on the affected site. Because of this, a remote attacker could forge a GraphQL query to retrieve the account roles of every user on the site...

WordPress plugin WPGraphQL 访问控制错误漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation. WordPress is a set of blogging platforms developed using the PHP language. WordPress plugin is an application plugin. WordPress plugin WPGraphQL versions prior to 0.3.5 are vulnerable to an access control error that...

Graphql-Threat-Matrix - GraphQL Threat Framework Used By Security Professionals To Research Security Gaps In GraphQL Implementations

Why graphql-threat-matrix? graphql-threat-matrix was built for bug bounty hunters, security researchers and hackers to assist with uncovering vulnerabilities across multiple GraphQL implementations. The differences in how GraphQL implementations interpret and conform to the GraphQL specification...

CVE-2022-30288

Agoo before 2.14.3 does not reject GraphQL fragment spreads that form cycles, leading to an application crash. NOTE: the vendor has disputed this on the grounds that it is not the server's responsibility to "enforce all the various ways a developer could write code with logic errors...

CVE-2022-30288

Agoo before 2.14.3 does not reject GraphQL fragment spreads that form cycles, leading to an application crash. NOTE: the vendor has disputed this on the grounds that it is not the server's responsibility to "enforce all the various ways a developer could write code with logic errors...

CVE-2022-30288

Agoo before 2.14.3 does not reject GraphQL fragment spreads that form cycles, leading to an application crash. NOTE: the vendor has disputed this on the grounds that it is not the server's responsibility to "enforce all the various ways a developer could write code with logic errors...

Design/Logic Flaw

DISPUTED Agoo before 2.14.3 does not reject GraphQL fragment spreads that form cycles, leading to an application crash. NOTE: the vendor has disputed this on the grounds that it is not the server's responsibility to "enforce all the various ways a developer could write code with logic errors."...