Veracode Vulnerability DatabaseVERACODE:37012Denial Of Services (DoS)
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.001 Low
EPSS
Percentile
20.7%
graphql-java is vulnerable to denial-of-service. The vulnerability exists because ANTLR lexing and parsing code is taking proportionally longer to get to the max token state which allows a remote attacker to send a malicious GraphQL query that consumes CPU resources resulting in an application crash.
References
github.com/advisories/GHSA-v62j-cxhh-fq22
github.com/graphql-java/graphql-java/commit/0256fd0627148e5b71218e424c310f48b066a041
github.com/graphql-java/graphql-java/commit/7f27a046c1cb133ede2fa64ffe5a499ad4c0b223
github.com/graphql-java/graphql-java/commit/cb88645bec5778c1a90f81e58bd394bdc605c166
github.com/graphql-java/graphql-java/discussions/2958
github.com/graphql-java/graphql-java/issues/2888
github.com/graphql-java/graphql-java/pull/2892
github.com/graphql-java/graphql-java/releases
Related
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.001 Low
EPSS
Percentile
20.7%