CVE-2022-30288

Agoo before 2.14.3 does not reject GraphQL fragment spreads that form cycles, leading to an application crash. NOTE: the vendor has disputed this on the grounds that it is not the server's responsibility to "enforce all the various ways a developer could write code with logic errors...

CVE-2022-30288

CVE-2022-30288 affects Agoo (Ruby HTTP server). The vulnerability arises in versions before 2.14.3 where GraphQL fragment spreads that form cycles are not rejected, potentially causing an application crash. Multiple validated sources (NVD, Red Hat, OSV, CVE lists, PT Security, CNNVD) confirm the ...

CVE-2022-30288

Agoo before 2.14.3 does not reject GraphQL fragment spreads that form cycles, leading to an application crash. NOTE: the vendor has disputed this on the grounds that it is not the server's responsibility to "enforce all the various ways a developer could write code with logic errors...

This Week in Spring - April 26th, 2022

Hi, Spring fans! Welcome to another installment of This Week in Spring! This week I was hoping to be in glorious Chicago, Illinois for the first in-person SpringOne Tour installment since the pandemic. But, alas, I couldnt go because - out of an abundance of caution, and since I was exposed to...

GitLab 13.10 < 14.4.5 / 14.5 < 14.5.3 / 14.6 < 14.6.2 (CVE-2022-0152)

The version of GitLab installed on the remote host is affected by a vulnerability, as follows: - An issue has been discovered in GitLab affecting all versions starting from 13.10 before 14.4.5, all versions starting from 14.5.0 before 14.5.3, all versions starting from 14.6.0 before 14.6.2. GitLa...

GitLab 13.2 < 14.4.5 / 14.5 < 14.5.3 / 14.6 < 14.6.2 (CVE-2022-0172)

The version of GitLab installed on the remote host is affected by a vulnerability, as follows: - An issue has been discovered in GitLab CE/EE affecting all versions starting with 12.3. Under certain conditions it was possible to bypass the IP restriction for public projects through GraphQL allowi...

GitLab 13.1 < 14.2.6 / 14.3 < 14.3.4 / 14.4 < 14.4.1 (CVE-2021-39904)

The version of GitLab installed on the remote host is affected by a vulnerability, as follows: - An Improper Access Control vulnerability in the GraphQL API in all versions of GitLab CE/EE starting from 13.1 before 14.2.6, all versions starting from 14.3 before 14.3.4, and all versions starting...

The vulnerability of the Git-based software platform for collaborative code development on GitLab stems from deficiencies in the authentication process, allowing attackers to gain access to confidential data.

The vulnerability of the Git-based software platform for collaborative code development on GitLab is related to improper access control when using GraphQL. Exploiting this vulnerability allows a malicious actor to gain access to confidential data...

The vulnerability of the Git-based software platform’s GraphQL component allows a hacker to influence the integrity of data during collaborative code development on GitLab.

The vulnerability of the GraphQL component of the software platform based on Git for collaborative code development on GitLab is related to the lack of checking for the presence of the X-CSRF-Token header in GET requests. Exploiting this vulnerability allows an attacker to compromise data integri...

Authorization

Elide is a Java library that lets you stand up a GraphQL/JSON-API web service with minimal effort. When leveraging the following together: Elide Aggregation Data Store for Analytic Queries, Parameterized Columns A column that requires a client provided parameter, and a parameterized column of typ...

CVE-2022-24827

Elide (Java) SQL Injection vulnerability (CVE-2022-24827) affects analytic queries that use Parameterized Columns of type TEXT in the Elide Aggregation Data Store. The issue stems from the TEXT parameter handling that can be interpreted as SQL comments (–) after a patch in 6.1.2, allowing bypass ...

CVE-2022-24827 SQL Injection in elide-datastore-aggregation

Elide is a Java library that lets you stand up a GraphQL/JSON-API web service with minimal effort. When leveraging the following together: Elide Aggregation Data Store for Analytic Queries, Parameterized Columns A column that requires a client provided parameter, and a parameterized column of typ...

CVE-2022-24827 SQL Injection in elide-datastore-aggregation

Elide is a Java library that lets you stand up a GraphQL/JSON-API web service with minimal effort. When leveraging the following together: Elide Aggregation Data Store for Analytic Queries, Parameterized Columns A column that requires a client provided parameter, and a parameterized column of typ...

A Bootiful Podcast: GraphQL Java founder Andi Marek

Hi, Spring fans! In this installment of a Bootiful Podcast, Josh Long @starbuxman talks to the GraphQL Java project founder and lead, Atlassian engineer, and Spring GraphQL cofounder Andi Marek @andimarek...

GHSA-CQXX-66WH-8PJW Improper Removal of Sensitive Information Before Storage or Transfer in irrd

IRRd did not always filter password hashes in query responses relating to mntner objects and database exports. This may have allowed adversaries to retrieve some of these hashes, perform a brute-force search for the clear-text passphrase, and use these to make unauthorised changes to affected IRR...

Improper Removal of Sensitive Information Before Storage or Transfer in irrd

IRRd did not always filter password hashes in query responses relating to mntner objects and database exports. This may have allowed adversaries to retrieve some of these hashes, perform a brute-force search for the clear-text passphrase, and use these to make unauthorised changes to affected IRR...

This Week in Spring - March 29th, 2022

Aloha, Spring fans, from beautiful Maui, Hawaii, where I am with my family on a bit of vacation. Its our daughters Spring break and so were enjoying the family time while we can get it! I wanted to take a brief interlude in between the never-enough time on the beach and all the rum to get this...

CVE-2021-4191

An issue has been discovered in GitLab CE/EE affecting versions 13.0 to 14.6.5, 14.7 to 14.7.4, and 14.8 to 14.8.2. Private GitLab instances with restricted sign-ups may be vulnerable to user enumeration to unauthenticated users through the GraphQL API...

CVE-2021-4191

An issue has been discovered in GitLab CE/EE affecting versions 13.0 to 14.6.5, 14.7 to 14.7.4, and 14.8 to 14.8.2. Private GitLab instances with restricted sign-ups may be vulnerable to user enumeration to unauthenticated users through the GraphQL API...

CVE-2021-4191

An issue has been discovered in GitLab CE/EE affecting versions 13.0 to 14.6.5, 14.7 to 14.7.4, and 14.8 to 14.8.2. Private GitLab instances with restricted sign-ups may be vulnerable to user enumeration to unauthenticated users through the GraphQL API...