{ "threat_severity" : "Moderate", "public_date" : "2024-07-30T00:00:00Z", "bugzilla" : { "description" : "graphql-java: Allocation of Resources Without Limits or Throttling in GraphQL Java", "id" : "2301456", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2301456" }, "cvss3" : { "cvss3_base_score" : "7.5", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status" : "verified" }, "cwe" : "CWE-770", "details" : [ "GraphQL Java (aka graphql-java) before 21.5 does not properly consider ExecutableNormalizedFields (ENFs) as part of preventing denial of service via introspection queries. 20.9 and 19.11 are also fixed versions.", "A vulnerability was found in GraphQL Java, affecting versions prior to 21.5. This flaw allows an attacker to perform a denial of service (DoS) attack via introspection queries. The issue arises due to the improper handling of ExecutableNormalizedFields (ENFs), which are not adequately considered during the introspection query process. This issue could lead to resource exhaustion and service disruption under certain conditions." ], "affected_release" : [ { "product_name" : "Cryostat 3 on RHEL 8", "release_date" : "2024-10-22T00:00:00Z", "advisory" : "RHSA-2024:8329", "cpe" : "cpe:/a:redhat:cryostat:3::el8", "package" : "cryostat-tech-preview/cryostat-db-rhel8:3.0.1-5" }, { "product_name" : "Cryostat 3 on RHEL 8", "release_date" : "2024-10-22T00:00:00Z", "advisory" : "RHSA-2024:8329", "cpe" : "cpe:/a:redhat:cryostat:3::el8", "package" : "cryostat-tech-preview/cryostat-grafana-dashboard-rhel8:3.0.1-5" }, { "product_name" : "Cryostat 3 on RHEL 8", "release_date" : "2024-10-22T00:00:00Z", "advisory" : "RHSA-2024:8329", "cpe" : "cpe:/a:redhat:cryostat:3::el8", "package" : "cryostat-tech-preview/cryostat-operator-bundle:3.0.1-5" }, { "product_name" : "Cryostat 3 on RHEL 8", "release_date" : "2024-10-22T00:00:00Z", "advisory" : "RHSA-2024:8329", "cpe" : "cpe:/a:redhat:cryostat:3::el8", "package" : "cryostat-tech-preview/cryostat-ose-oauth-proxy-rhel8:3.0.1-5" }, { "product_name" : "Cryostat 3 on RHEL 8", "release_date" : "2024-10-22T00:00:00Z", "advisory" : "RHSA-2024:8329", "cpe" : "cpe:/a:redhat:cryostat:3::el8", "package" : "cryostat-tech-preview/cryostat-reports-rhel8:3.0.1-5" }, { "product_name" : "Cryostat 3 on RHEL 8", "release_date" : "2024-10-22T00:00:00Z", "advisory" : "RHSA-2024:8329", "cpe" : "cpe:/a:redhat:cryostat:3::el8", "package" : "cryostat-tech-preview/cryostat-rhel8:3.0.1-5" }, { "product_name" : "Cryostat 3 on RHEL 8", "release_date" : "2024-10-22T00:00:00Z", "advisory" : "RHSA-2024:8329", "cpe" : "cpe:/a:redhat:cryostat:3::el8", "package" : "cryostat-tech-preview/cryostat-rhel8-operator:3.0.1-5" }, { "product_name" : "Cryostat 3 on RHEL 8", "release_date" : "2024-10-22T00:00:00Z", "advisory" : "RHSA-2024:8329", "cpe" : "cpe:/a:redhat:cryostat:3::el8", "package" : "cryostat-tech-preview/cryostat-storage-rhel8:3.0.1-5" }, { "product_name" : "Cryostat 3 on RHEL 8", "release_date" : "2024-10-22T00:00:00Z", "advisory" : "RHSA-2024:8329", "cpe" : "cpe:/a:redhat:cryostat:3::el8", "package" : "cryostat-tech-preview/jfr-datasource-rhel8:3.0.1-5" }, { "product_name" : "Red Hat build of Quarkus 3.2", "release_date" : "2024-10-10T00:00:00Z", "advisory" : "RHSA-2024:7676", "cpe" : "cpe:/a:redhat:quarkus:3.2::el8", "package" : "com.graphql-java.graphql-java" }, { "product_name" : "Red Hat build of Quarkus 3.8", "release_date" : "2024-10-10T00:00:00Z", "advisory" : "RHSA-2024:7670", "cpe" : "cpe:/a:redhat:quarkus:3.8::el8", "package" : "com.graphql-java.graphql-java" }, { "product_name" : "RHOSS-1.35-RHEL-8", "release_date" : "2025-01-23T00:00:00Z", "advisory" : "RHSA-2025:0664", "cpe" : "cpe:/a:redhat:openshift_serverless:1.35::el8", "package" : "openshift-serverless-1/logic-data-index-ephemeral-rhel8:1.35.0-5" }, { "product_name" : "RHOSS-1.35-RHEL-8", "release_date" : "2025-01-23T00:00:00Z", "advisory" : "RHSA-2025:0664", "cpe" : "cpe:/a:redhat:openshift_serverless:1.35::el8", "package" : "openshift-serverless-1/logic-data-index-postgresql-rhel8:1.35.0-5" }, { "product_name" : "RHOSS-1.35-RHEL-8", "release_date" : "2025-01-23T00:00:00Z", "advisory" : "RHSA-2025:0664", "cpe" : "cpe:/a:redhat:openshift_serverless:1.35::el8", "package" : "openshift-serverless-1/logic-jobs-service-ephemeral-rhel8:1.35.0-5" }, { "product_name" : "RHOSS-1.35-RHEL-8", "release_date" : "2025-01-23T00:00:00Z", "advisory" : "RHSA-2025:0664", "cpe" : "cpe:/a:redhat:openshift_serverless:1.35::el8", "package" : "openshift-serverless-1/logic-jobs-service-postgresql-rhel8:1.35.0-6" }, { "product_name" : "RHOSS-1.35-RHEL-8", "release_date" : "2025-01-23T00:00:00Z", "advisory" : "RHSA-2025:0664", "cpe" : "cpe:/a:redhat:openshift_serverless:1.35::el8", "package" : "openshift-serverless-1/logic-kn-workflow-cli-artifacts-rhel8:1.35.0-2" }, { "product_name" : "RHOSS-1.35-RHEL-8", "release_date" : "2025-01-23T00:00:00Z", "advisory" : "RHSA-2025:0664", "cpe" : "cpe:/a:redhat:openshift_serverless:1.35::el8", "package" : "openshift-serverless-1/logic-management-console-rhel8:1.35.0-5" }, { "product_name" : "RHOSS-1.35-RHEL-8", "release_date" : "2025-01-23T00:00:00Z", "advisory" : "RHSA-2025:0664", "cpe" : "cpe:/a:redhat:openshift_serverless:1.35::el8", "package" : "openshift-serverless-1/logic-operator-bundle:1.35.0-5" }, { "product_name" : "RHOSS-1.35-RHEL-8", "release_date" : "2025-01-23T00:00:00Z", "advisory" : "RHSA-2025:0664", "cpe" : "cpe:/a:redhat:openshift_serverless:1.35::el8", "package" : "openshift-serverless-1/logic-rhel8-operator:1.35.0-6" }, { "product_name" : "RHOSS-1.35-RHEL-8", "release_date" : "2025-01-23T00:00:00Z", "advisory" : "RHSA-2025:0664", "cpe" : "cpe:/a:redhat:openshift_serverless:1.35::el8", "package" : "openshift-serverless-1/logic-swf-builder-rhel8:1.35.0-6" }, { "product_name" : "RHOSS-1.35-RHEL-8", "release_date" : "2025-01-23T00:00:00Z", "advisory" : "RHSA-2025:0664", "cpe" : "cpe:/a:redhat:openshift_serverless:1.35::el8", "package" : "openshift-serverless-1/logic-swf-devmode-rhel8:1.35.0-6" } ], "package_state" : [ { "product_name" : "Red Hat build of Apicurio Registry 2", "fix_state" : "Not affected", "package_name" : "com.graphql-java/graphql-java", "cpe" : "cpe:/a:redhat:service_registry:2" }, { "product_name" : "Red Hat Fuse 7", "fix_state" : "Out of support scope", "package_name" : "com.graphql-java/graphql-java", "cpe" : "cpe:/a:redhat:jboss_fuse:7" }, { "product_name" : "Red Hat Integration Camel K 1", "fix_state" : "Out of support scope", "package_name" : "com.graphql-java/graphql-java", "cpe" : "cpe:/a:redhat:integration:1" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7", "fix_state" : "Out of support scope", "package_name" : "com.graphql-java/graphql-java", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 8", "fix_state" : "Not affected", "package_name" : "com.graphql-java/graphql-java", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform Expansion Pack", "fix_state" : "Not affected", "package_name" : "com.graphql-java/graphql-java", "cpe" : "cpe:/a:redhat:jbosseapxp" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-40094\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-40094\nhttps://github.com/graphql-java/graphql-java/commit/97743bc1b5caa2b0bd894dc8e128b47e4d771e4a\nhttps://github.com/graphql-java/graphql-java/discussions/3641\nhttps://github.com/graphql-java/graphql-java/pull/3539\nhttps://github.com/graphql-java/graphql-java/releases/tag/v19.11\nhttps://github.com/graphql-java/graphql-java/releases/tag/v20.9\nhttps://github.com/graphql-java/graphql-java/releases/tag/v21.5" ], "name" : "CVE-2024-40094", "csaw" : false }