OpenCVE

graphql-java before19.0 is vulnerable to Denial of Service. An attacker can send a malicious GraphQL query that consumes CPU resources. The fixed versions are 19.0 and later, 18.3, and 17.4, and 0.0.0-2022-07-26T05-45-04-226aabd9.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Graphql-java Project	Graphql-java
Redhat	Openshift Application Runtimes Quarkus Service Registry

Configuration 1 [-]

OR	cpe:2.3:a:graphql-java_project:graphql-java::::::java::*
	cpe:2.3:a:graphql-java_project:graphql-java::::::::

Package	CPE	Advisory	Released Date
Red Hat build of Eclipse Vert.x 4.3.3
graphql-java	cpe:/a:redhat:openshift_application_runtimes:1.0	RHSA-2022:6757	2022-10-05T00:00:00Z
Red Hat build of Quarkus 2.13.5
	cpe:/a:redhat:quarkus:2.13	RHSA-2022:9023	2022-12-14T00:00:00Z
RHINT Service Registry 2.3.0 GA
graphql-java	cpe:/a:redhat:service_registry:2.3	RHSA-2022:6835	2022-10-06T00:00:00Z

References

Link	Providers
https://github.com/graphql-java/graphql-java/discussions/2958
https://github.com/graphql-java/graphql-java/issues/2888
https://github.com/graphql-java/graphql-java/pull/2892
https://github.com/graphql-java/graphql-java/releases
https://nvd.nist.gov/vuln/detail/CVE-2022-37734
https://www.cve.org/CVERecord?id=CVE-2022-37734

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2022-09-12T13:14:35

Updated: 2024-08-03T10:37:40.930Z

Reserved: 2022-08-08T00:00:00

Link: CVE-2022-37734

Vulnrichment

No data.

NVD

Status : Modified

Published: 2022-09-12T14:15:09.047

Modified: 2023-08-08T14:22:24.967

Link: CVE-2022-37734

Redhat

Severity : Low

Publid Date: 2022-09-12T00:00:00Z

Links: CVE-2022-37734 - Bugzilla

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "graphql-java before19.0 is vulnerable to Denial of Service. An attacker can send a malicious GraphQL query that consumes CPU resources. The fixed versions are 19.0 and later, 18.3, and 17.4, and 0.0.0-2022-07-26T05-45-04-226aabd9."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2022-09-28T19:48:36", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://github.com/graphql-java/graphql-java/issues/2888"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/graphql-java/graphql-java/pull/2892"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/graphql-java/graphql-java/discussions/2958"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/graphql-java/graphql-java/releases"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2022-37734", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "graphql-java before19.0 is vulnerable to Denial of Service. An attacker can send a malicious GraphQL query that consumes CPU resources. The fixed versions are 19.0 and later, 18.3, and 17.4, and 0.0.0-2022-07-26T05-45-04-226aabd9."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://github.com/graphql-java/graphql-java/issues/2888", "refsource": "MISC", "url": "https://github.com/graphql-java/graphql-java/issues/2888"}, {"name": "https://github.com/graphql-java/graphql-java/pull/2892", "refsource": "MISC", "url": "https://github.com/graphql-java/graphql-java/pull/2892"}, {"name": "https://github.com/graphql-java/graphql-java/discussions/2958", "refsource": "CONFIRM", "url": "https://github.com/graphql-java/graphql-java/discussions/2958"}, {"name": "https://github.com/graphql-java/graphql-java/releases", "refsource": "CONFIRM", "url": "https://github.com/graphql-java/graphql-java/releases"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T10:37:40.930Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/graphql-java/graphql-java/issues/2888"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/graphql-java/graphql-java/pull/2892"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/graphql-java/graphql-java/discussions/2958"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/graphql-java/graphql-java/releases"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2022-37734", "datePublished": "2022-09-12T13:14:35", "dateReserved": "2022-08-08T00:00:00", "dateUpdated": "2024-08-03T10:37:40.930Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:graphql-java_project:graphql-java:*:*:*:*:*:java:*:*", "matchCriteriaId": "6213C053-09F9-4ECB-A97C-D9889C0FD6B3", "versionEndExcluding": "17.4", "vulnerable": true}, {"criteria": "cpe:2.3:a:graphql-java_project:graphql-java:*:*:*:*:*:*:*:*", "matchCriteriaId": "615E4172-550D-42EB-B32C-B7C15C33DD37", "versionEndExcluding": "18.3", "versionStartIncluding": "18.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "graphql-java before19.0 is vulnerable to Denial of Service. An attacker can send a malicious GraphQL query that consumes CPU resources. The fixed versions are 19.0 and later, 18.3, and 17.4, and 0.0.0-2022-07-26T05-45-04-226aabd9."}, {"lang": "es", "value": "graphql-java before19.0 es vulnerable a la denegaci\u00f3n de servicio. Un atacante puede enviar una consulta GraphQL maliciosa que consuma recursos de la CPU. Las versiones corregidas son 19.0 y posteriores, 18.3 y 17.4, y 0.0.0-2022-07-26T05-45-04-226aabd9"}], "id": "CVE-2022-37734", "lastModified": "2023-08-08T14:22:24.967", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-09-12T14:15:09.047", "references": [{"source": "cve@mitre.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/graphql-java/graphql-java/discussions/2958"}, {"source": "cve@mitre.org", "tags": ["Issue Tracking", "Patch", "Third Party Advisory"], "url": "https://github.com/graphql-java/graphql-java/issues/2888"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Patch", "Third Party Advisory"], "url": "https://github.com/graphql-java/graphql-java/pull/2892"}, {"source": "cve@mitre.org", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://github.com/graphql-java/graphql-java/releases"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2022:6757", "cpe": "cpe:/a:redhat:openshift_application_runtimes:1.0", "package": "graphql-java", "product_name": "Red Hat build of Eclipse Vert.x 4.3.3", "release_date": "2022-10-05T00:00:00Z"}, {"advisory": "RHSA-2022:9023", "cpe": "cpe:/a:redhat:quarkus:2.13", "product_name": "Red Hat build of Quarkus 2.13.5", "release_date": "2022-12-14T00:00:00Z"}, {"advisory": "RHSA-2022:6835", "cpe": "cpe:/a:redhat:service_registry:2.3", "package": "graphql-java", "product_name": "RHINT Service Registry 2.3.0 GA", "release_date": "2022-10-06T00:00:00Z"}], "bugzilla": {"description": "graphql-java: DoS by malicious query", "id": "2126809", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2126809"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "verified"}, "cwe": "CWE-1333", "details": ["graphql-java before19.0 is vulnerable to Denial of Service. An attacker can send a malicious GraphQL query that consumes CPU resources. The fixed versions are 19.0 and later, 18.3, and 17.4, and 0.0.0-2022-07-26T05-45-04-226aabd9.", "A flaw was found in GraphQL Java. This flaw allows an attacker to use a malicious query in GraphQL to cause a denial of service due to inefficient lexer input validation."], "name": "CVE-2022-37734", "package_state": [{"cpe": "cpe:/a:redhat:quarkus:2", "fix_state": "Will not fix", "package_name": "graphql-java", "product_name": "Red Hat build of Quarkus"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Not affected", "package_name": "graphql-java", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:integration:1", "fix_state": "Will not fix", "package_name": "graphql-java", "product_name": "Red Hat Integration Camel K"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7", "fix_state": "Not affected", "package_name": "graphql-java", "product_name": "Red Hat JBoss Enterprise Application Platform 7"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Not affected", "package_name": "graphql-java", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}], "public_date": "2022-09-12T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-37734\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-37734"], "threat_severity": "Low", "upstream_fix": "graphql-java 19.0, graphql-java 18.3, graphql-java 17.4"}