CVE-2021-43801 - OpenCVE

Mercurius is a GraphQL adapter for Fastify. Any users from Mercurius@8.10.0 to 8.11.1 are subjected to a denial of service attack by sending a malformed JSON to `/graphql` unless they are using a custom error handler. The vulnerability has been fixed in https://github.com/mercurius-js/mercurius/pull/678 and shipped as v8.11.2. As a workaround users may use a custom error handler.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

AV:N/AC:L/Au:N/C:N/I:N/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Mercurius Project	Mercurius

Configuration 1 [-]

cpe:2.3:a:mercurius_project:mercurius:*:*:*:*:*:node.js:*:*

No data.

References

Link	Providers
https://github.com/mercurius-js/mercurius/issues/677
https://github.com/mercurius-js/mercurius/pull/678/commits/732b2f895312da8deadd7b173dcd2d141d54b223
https://github.com/mercurius-js/mercurius/security/advisories/GHSA-273r-rm8g-7f3x

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2021-12-13T19:30:12

Updated: 2024-08-04T04:03:08.899Z

Reserved: 2021-11-16T00:00:00

Link: CVE-2021-43801

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2021-12-13T20:15:07.577

Modified: 2021-12-15T21:46:47.657

Link: CVE-2021-43801

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "mercurius", "vendor": "mercurius-js", "versions": [{"status": "affected", "version": ">= 8.10.0, < 8.11.2"}]}], "descriptions": [{"lang": "en", "value": "Mercurius is a GraphQL adapter for Fastify. Any users from Mercurius@8.10.0 to 8.11.1 are subjected to a denial of service attack by sending a malformed JSON to `/graphql` unless they are using a custom error handler. The vulnerability has been fixed in https://github.com/mercurius-js/mercurius/pull/678 and shipped as v8.11.2. As a workaround users may use a custom error handler."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-754", "description": "CWE-754: Improper Check for Unusual or Exceptional Conditions", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-12-13T19:30:12", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/mercurius-js/mercurius/security/advisories/GHSA-273r-rm8g-7f3x"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/mercurius-js/mercurius/issues/677"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/mercurius-js/mercurius/pull/678/commits/732b2f895312da8deadd7b173dcd2d141d54b223"}], "source": {"advisory": "GHSA-273r-rm8g-7f3x", "discovery": "UNKNOWN"}, "title": "Uncaught Exception in mercurius", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2021-43801", "STATE": "PUBLIC", "TITLE": "Uncaught Exception in mercurius"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "mercurius", "version": {"version_data": [{"version_value": ">= 8.10.0, < 8.11.2"}]}}]}, "vendor_name": "mercurius-js"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Mercurius is a GraphQL adapter for Fastify. Any users from Mercurius@8.10.0 to 8.11.1 are subjected to a denial of service attack by sending a malformed JSON to `/graphql` unless they are using a custom error handler. The vulnerability has been fixed in https://github.com/mercurius-js/mercurius/pull/678 and shipped as v8.11.2. As a workaround users may use a custom error handler."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-754: Improper Check for Unusual or Exceptional Conditions"}]}]}, "references": {"reference_data": [{"name": "https://github.com/mercurius-js/mercurius/security/advisories/GHSA-273r-rm8g-7f3x", "refsource": "CONFIRM", "url": "https://github.com/mercurius-js/mercurius/security/advisories/GHSA-273r-rm8g-7f3x"}, {"name": "https://github.com/mercurius-js/mercurius/issues/677", "refsource": "MISC", "url": "https://github.com/mercurius-js/mercurius/issues/677"}, {"name": "https://github.com/mercurius-js/mercurius/pull/678/commits/732b2f895312da8deadd7b173dcd2d141d54b223", "refsource": "MISC", "url": "https://github.com/mercurius-js/mercurius/pull/678/commits/732b2f895312da8deadd7b173dcd2d141d54b223"}]}, "source": {"advisory": "GHSA-273r-rm8g-7f3x", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T04:03:08.899Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/mercurius-js/mercurius/security/advisories/GHSA-273r-rm8g-7f3x"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/mercurius-js/mercurius/issues/677"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/mercurius-js/mercurius/pull/678/commits/732b2f895312da8deadd7b173dcd2d141d54b223"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2021-43801", "datePublished": "2021-12-13T19:30:12", "dateReserved": "2021-11-16T00:00:00", "dateUpdated": "2024-08-04T04:03:08.899Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mercurius_project:mercurius:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "8746C91F-FFCB-4ECD-BE62-EDFF7D9AACC6", "versionEndExcluding": "8.11.2", "versionStartIncluding": "8.10.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Mercurius is a GraphQL adapter for Fastify. Any users from Mercurius@8.10.0 to 8.11.1 are subjected to a denial of service attack by sending a malformed JSON to `/graphql` unless they are using a custom error handler. The vulnerability has been fixed in https://github.com/mercurius-js/mercurius/pull/678 and shipped as v8.11.2. As a workaround users may use a custom error handler."}, {"lang": "es", "value": "Mercurius es un adaptador GraphQL para Fastify. Cualquier usuario de Mercurius@ versiones 8.10.0 a 8.11.1, est\u00e1 sujeto a un ataque de denegaci\u00f3n de servicio mediante el env\u00edo de un JSON malformado a \"/graphql\" a menos que est\u00e9 usando un administrador de errores personalizado. La vulnerabilidad ha sido corregida en https://github.com/mercurius-js/mercurius/pull/678 y ha sido distribuida en la versi\u00f3n 8.11.2. Como soluci\u00f3n, los usuarios pueden usar un administrador de errores personalizado"}], "id": "CVE-2021-43801", "lastModified": "2021-12-15T21:46:47.657", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Primary"}]}, "published": "2021-12-13T20:15:07.577", "references": [{"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Patch", "Third Party Advisory"], "url": "https://github.com/mercurius-js/mercurius/issues/677"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/mercurius-js/mercurius/pull/678/commits/732b2f895312da8deadd7b173dcd2d141d54b223"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/mercurius-js/mercurius/security/advisories/GHSA-273r-rm8g-7f3x"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-754"}], "source": "security-advisories@github.com", "type": "Primary"}]}