CVE-2022-31173 - OpenCVE

Juniper is a GraphQL server library for Rust. Affected versions of Juniper are vulnerable to uncontrolled recursion resulting in a program crash. This issue has been addressed in version 0.15.10. Users are advised to upgrade. Users unable to upgrade should limit the recursion depth manually.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Juniper Project	Juniper

Configuration 1 [-]

cpe:2.3:a:juniper_project:juniper:*:*:*:*:*:rust:*:*

No data.

References

Link	Providers
https://github.com/graphql-rust/juniper/blob/juniper-v0.15.10/juniper/CHANGELOG.md#01510-2022-07-28
https://github.com/graphql-rust/juniper/commit/2b609ee057be950e3454b69fadc431d120e407bb
https://github.com/graphql-rust/juniper/commit/8d28cdba6eb10f53490ba41d1b5cb40506c2de22
https://github.com/graphql-rust/juniper/security/advisories/GHSA-4rx6-g5vg-5f3j

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2022-08-01T18:50:12

Updated: 2024-08-03T07:11:39.596Z

Reserved: 2022-05-18T00:00:00

Link: CVE-2022-31173

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2022-08-01T19:15:08.330

Modified: 2023-07-24T13:08:13.910

Link: CVE-2022-31173

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "juniper", "vendor": "graphql-rust", "versions": [{"status": "affected", "version": "< 0.15.10"}]}], "descriptions": [{"lang": "en", "value": "Juniper is a GraphQL server library for Rust. Affected versions of Juniper are vulnerable to uncontrolled recursion resulting in a program crash. This issue has been addressed in version 0.15.10. Users are advised to upgrade. Users unable to upgrade should limit the recursion depth manually."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-400", "description": "CWE-400: Uncontrolled Resource Consumption", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-08-01T18:50:12", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/graphql-rust/juniper/security/advisories/GHSA-4rx6-g5vg-5f3j"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/graphql-rust/juniper/commit/2b609ee057be950e3454b69fadc431d120e407bb"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/graphql-rust/juniper/commit/8d28cdba6eb10f53490ba41d1b5cb40506c2de22"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/graphql-rust/juniper/blob/juniper-v0.15.10/juniper/CHANGELOG.md#01510-2022-07-28"}], "source": {"advisory": "GHSA-4rx6-g5vg-5f3j", "discovery": "UNKNOWN"}, "title": "Juniper is vulnerable to @DOS GraphQL Nested Fragments overflow", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2022-31173", "STATE": "PUBLIC", "TITLE": "Juniper is vulnerable to @DOS GraphQL Nested Fragments overflow"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "juniper", "version": {"version_data": [{"version_value": "< 0.15.10"}]}}]}, "vendor_name": "graphql-rust"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Juniper is a GraphQL server library for Rust. Affected versions of Juniper are vulnerable to uncontrolled recursion resulting in a program crash. This issue has been addressed in version 0.15.10. Users are advised to upgrade. Users unable to upgrade should limit the recursion depth manually."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-400: Uncontrolled Resource Consumption"}]}]}, "references": {"reference_data": [{"name": "https://github.com/graphql-rust/juniper/security/advisories/GHSA-4rx6-g5vg-5f3j", "refsource": "CONFIRM", "url": "https://github.com/graphql-rust/juniper/security/advisories/GHSA-4rx6-g5vg-5f3j"}, {"name": "https://github.com/graphql-rust/juniper/commit/2b609ee057be950e3454b69fadc431d120e407bb", "refsource": "MISC", "url": "https://github.com/graphql-rust/juniper/commit/2b609ee057be950e3454b69fadc431d120e407bb"}, {"name": "https://github.com/graphql-rust/juniper/commit/8d28cdba6eb10f53490ba41d1b5cb40506c2de22", "refsource": "MISC", "url": "https://github.com/graphql-rust/juniper/commit/8d28cdba6eb10f53490ba41d1b5cb40506c2de22"}, {"name": "https://github.com/graphql-rust/juniper/blob/juniper-v0.15.10/juniper/CHANGELOG.md#01510-2022-07-28", "refsource": "MISC", "url": "https://github.com/graphql-rust/juniper/blob/juniper-v0.15.10/juniper/CHANGELOG.md#01510-2022-07-28"}]}, "source": {"advisory": "GHSA-4rx6-g5vg-5f3j", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T07:11:39.596Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/graphql-rust/juniper/security/advisories/GHSA-4rx6-g5vg-5f3j"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/graphql-rust/juniper/commit/2b609ee057be950e3454b69fadc431d120e407bb"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/graphql-rust/juniper/commit/8d28cdba6eb10f53490ba41d1b5cb40506c2de22"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/graphql-rust/juniper/blob/juniper-v0.15.10/juniper/CHANGELOG.md#01510-2022-07-28"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2022-31173", "datePublished": "2022-08-01T18:50:12", "dateReserved": "2022-05-18T00:00:00", "dateUpdated": "2024-08-03T07:11:39.596Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:juniper_project:juniper:*:*:*:*:*:rust:*:*", "matchCriteriaId": "FC49E6F1-2A38-4C24-B62A-71DAFA11519A", "versionEndExcluding": "0.15.10", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Juniper is a GraphQL server library for Rust. Affected versions of Juniper are vulnerable to uncontrolled recursion resulting in a program crash. This issue has been addressed in version 0.15.10. Users are advised to upgrade. Users unable to upgrade should limit the recursion depth manually."}, {"lang": "es", "value": "Juniper es una biblioteca de servidor GraphQL para Rust. Las versiones afectadas de Juniper son vulnerables a una recursividad no controlada resultando en un bloqueo del programa. Este problema ha sido abordado en versi\u00f3n 0.15.10. Es recomendado a usuarios actualizar. Los usuarios que no puedan actualizar deber\u00e1n limitar la profundidad de la recursi\u00f3n manualmente"}], "id": "CVE-2022-31173", "lastModified": "2023-07-24T13:08:13.910", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2022-08-01T19:15:08.330", "references": [{"source": "security-advisories@github.com", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://github.com/graphql-rust/juniper/blob/juniper-v0.15.10/juniper/CHANGELOG.md#01510-2022-07-28"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/graphql-rust/juniper/commit/2b609ee057be950e3454b69fadc431d120e407bb"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/graphql-rust/juniper/commit/8d28cdba6eb10f53490ba41d1b5cb40506c2de22"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/graphql-rust/juniper/security/advisories/GHSA-4rx6-g5vg-5f3j"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-674"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-400"}], "source": "security-advisories@github.com", "type": "Secondary"}]}