CVE-2024-50311

CVE-2024-50311 affects OpenShift GraphQL batching, causing DoS through requests with thousands of aliases. Red Hat’s advisory RHSA-2024:6122 confirms a security update for OpenShift Container Platform 4.18.1 that addresses this issue; the CVSS base score is MEDIUM with availability impact. The af...

CVE-2024-50311

A denial of service DoS vulnerability was found in OpenShift. This flaw allows attackers to exploit the GraphQL batching functionality. The vulnerability arises when multiple queries can be sent within a single request, enabling an attacker to submit a request containing thousands of aliases in o...

PT-2024-34132 · Red Hat · Openshift

Name of the Vulnerable Software and Affected Versions: OpenShift affected versions not specified Description: A denial of service DoS issue was found in OpenShift, related to the GraphQL batching functionality. This allows attackers to send multiple queries within a single request, potentially...

GraphQL Batching

GraphQL engines sometimes support combining a group of requests into a single one to try optimizing network performances between the client and the GraphQL server. When supported and enabled, this feature implementation should be reviewed as it could be abused by an attacker to bypass application...

EXNESS: GraphQL attribute Batching DOS can take down pwapi.ex2b.com

Summary: Hi team! I hope you are having a great day! pwapi.ex2b.com instances work with a GraphQL API. This GraphQL endpoint is at / and can be called by unauthenticated users. This Graphql endpoint allows you to perform a query with the same attribute multiple times on a single request. The more...

HackerOne: Ability to bulk submit reports via query named based batching

A vulnerability was discovered in the GraphQL API of the HackerOne platform. The vulnerability allowed an attacker to bulk submit reports via query-based batching, bypassing the intended limit of 500 reports. This was achieved by leveraging a Python script to generate a large number of reports in...

Insights into the New OWASP API Security Top-10 for CISOs

ICYMI, we recently presented A CISOs Guide to the New 2023 OWASP API Security Update. In this first of two planned webinars, Stepan Ilyin and Tim Ebbers provided an overview of what’s in and what’s out in the planned update and had a lively discussion about how this impacts your API security plan...

PT-2022-28222 · Unknown · Apollo Server

Name of the Vulnerable Software and Affected Versions: Apollo Server versions 3.0.0 through 3.10.0 Apollo Server versions 4.0.0 through 4.0.0 Description: The cache-control HTTP response header may not reflect the cache policy for HTTP requests with multiple operations using HTTP batching. This...

Spring Tips: Learn Spring for GraphQL (parts 3 and 4 of an ongoing series)

Hi, Spring fans! In thi^^^ these installments, we continue our series introducing the Spring for GraphQL project. This series features Spring for GraphQL lead Rossen Stoyanchev @rstoya05 - whose work you may know from basically everything in the wide and wonderful world of Springdom having to do...

Internet Bug Bounty: rubygems.org Batching attack to `confirmation_token` by bypass rate limit

The following is copied from hackerone's report. https://hackerone.com/reports/1529183 --- I confirmed that EmailConfirmationsController has the same problem as https://hackerone.com/reports/449356...

CVE-2021-41313

Affected versions of Atlassian Jira Server and Data Center allow authenticated but non-admin remote attackers to edit email batch configurations via an Improper Authorization vulnerability in the /secure/admin/ConfigureBatching!default.jspa endpoint. The affected versions are before version 8.20....

Authorization

Affected versions of Atlassian Jira Server and Data Center allow authenticated but non-admin remote attackers to edit email batch configurations via an Improper Authorization vulnerability in the /secure/admin/ConfigureBatching!default.jspa endpoint. The affected versions are before version 8.20....

PT-2021-23268 · Atlassian · Jira

Name of the Vulnerable Software and Affected Versions: Atlassian Jira Server and Data Center versions prior to 8.20.7 Description: The issue allows authenticated but non-admin remote attackers to edit email batch configurations via an Improper Authorization vulnerability in the...

BatchQL - GraphQL Security Auditing Script With A Focus On Performing Batch GraphQL Queries And Mutations

BatchQL is a GraphQL security auditing script with a focus on performing batch GraphQL queries and mutations. This script is not complex, and we welcome improvements. When exploring the problem space of GraphQL batching attacks, we found that there were a few blog posts on the internet, however n...

Violation of implicit constraints in batched operations may break protocol assumptions

Handle 0xRajeev Vulnerability details Impact The Ladle batching of operations is a complex task as noted by the project lead which has implicit constraints on what operations can be bundled together in a batch, which operations can/have-to appear how many times and in what order/sequence etc. Som...

WPGraphQL < 1.3.6 - Denial of Service

The plugin suffers from a Denial of Service vulnerability by Field Duplication. It is possible to create an expensive query by duplicating the number of fields, while simultaneously sending these requests in batches using GraphQL's Batching capability. v1.3.6 added a setting to disable batch...

SUSE-SU-2020:0684-1 Security update for salt

This update for salt fixes the following issues: - Avoid possible user escalation upgrading salt-master bsc1157465 CVE-2019-18897 - Fix unit tests failures in testbatchasync tests - Batch Async: Handle exceptions, properly unregister and close instances after running async batching to avoid CPU...

GraphQL Batching Attack

There is a new attack surface when the app tech stack includes GraphQL. It's Batched Attacks on GraphQL APIs. How can these apps be protected? Read more to find out. The post GraphQL Batching Attack appeared first on Wallarm Blog...

Computerviren - Arten, Verfahren, Technik & Geschichte

Document Title: =============== Computerviren - Arten, Verfahren, Technik & Geschichte References: =========== https://www.vulnerability-lab.com/resources/documents/194.pdf Release Date: ============= 2011-07-17 Vulnerability Laboratory ID VL-ID: ==================================== 194 Discovery...