CVE-2024-40094 - Vulnerability Details

- graphql-java: Allocation of Resources Without Limits or Throttling in GraphQL Java

Description

GraphQL Java (aka graphql-java) before 21.5 does not properly consider ExecutableNormalizedFields (ENFs) as part of preventing denial of service via introspection queries. 20.9 and 19.11 are also fixed versions.

Published: 2024-07-30

Score: 5.3 Medium

EPSS: 17.5% Moderate

KEV: No

Impact:

Action:

Analysis

No analysis available yet.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

n/a

affected

Version	Status	Constraints
`n/a`	affected	—

No data.

Package	CPE	Advisory	Released Date
Cryostat 3 on RHEL 8
cryostat-tech-preview/cryostat-db-rhel8:3.0.1-5	cpe:/a:redhat:cryostat:3::el8	RHSA-2024:8329	2024-10-22T00:00:00Z
cryostat-tech-preview/cryostat-grafana-dashboard-rhel8:3.0.1-5	cpe:/a:redhat:cryostat:3::el8	RHSA-2024:8329	2024-10-22T00:00:00Z
cryostat-tech-preview/cryostat-operator-bundle:3.0.1-5	cpe:/a:redhat:cryostat:3::el8	RHSA-2024:8329	2024-10-22T00:00:00Z
cryostat-tech-preview/cryostat-ose-oauth-proxy-rhel8:3.0.1-5	cpe:/a:redhat:cryostat:3::el8	RHSA-2024:8329	2024-10-22T00:00:00Z
cryostat-tech-preview/cryostat-reports-rhel8:3.0.1-5	cpe:/a:redhat:cryostat:3::el8	RHSA-2024:8329	2024-10-22T00:00:00Z
cryostat-tech-preview/cryostat-rhel8:3.0.1-5	cpe:/a:redhat:cryostat:3::el8	RHSA-2024:8329	2024-10-22T00:00:00Z
cryostat-tech-preview/cryostat-rhel8-operator:3.0.1-5	cpe:/a:redhat:cryostat:3::el8	RHSA-2024:8329	2024-10-22T00:00:00Z
cryostat-tech-preview/cryostat-storage-rhel8:3.0.1-5	cpe:/a:redhat:cryostat:3::el8	RHSA-2024:8329	2024-10-22T00:00:00Z
cryostat-tech-preview/jfr-datasource-rhel8:3.0.1-5	cpe:/a:redhat:cryostat:3::el8	RHSA-2024:8329	2024-10-22T00:00:00Z
Red Hat build of Quarkus 3.2
com.graphql-java.graphql-java	cpe:/a:redhat:quarkus:3.2::el8	RHSA-2024:7676	2024-10-10T00:00:00Z
Red Hat build of Quarkus 3.8
com.graphql-java.graphql-java	cpe:/a:redhat:quarkus:3.8::el8	RHSA-2024:7670	2024-10-10T00:00:00Z
RHOSS-1.35-RHEL-8
openshift-serverless-1/logic-data-index-ephemeral-rhel8:1.35.0-5	cpe:/a:redhat:openshift_serverless:1.35::el8	RHSA-2025:0664	2025-01-23T00:00:00Z
openshift-serverless-1/logic-data-index-postgresql-rhel8:1.35.0-5	cpe:/a:redhat:openshift_serverless:1.35::el8	RHSA-2025:0664	2025-01-23T00:00:00Z
openshift-serverless-1/logic-jobs-service-ephemeral-rhel8:1.35.0-5	cpe:/a:redhat:openshift_serverless:1.35::el8	RHSA-2025:0664	2025-01-23T00:00:00Z
openshift-serverless-1/logic-jobs-service-postgresql-rhel8:1.35.0-6	cpe:/a:redhat:openshift_serverless:1.35::el8	RHSA-2025:0664	2025-01-23T00:00:00Z
openshift-serverless-1/logic-kn-workflow-cli-artifacts-rhel8:1.35.0-2	cpe:/a:redhat:openshift_serverless:1.35::el8	RHSA-2025:0664	2025-01-23T00:00:00Z
openshift-serverless-1/logic-management-console-rhel8:1.35.0-5	cpe:/a:redhat:openshift_serverless:1.35::el8	RHSA-2025:0664	2025-01-23T00:00:00Z
openshift-serverless-1/logic-operator-bundle:1.35.0-5	cpe:/a:redhat:openshift_serverless:1.35::el8	RHSA-2025:0664	2025-01-23T00:00:00Z
openshift-serverless-1/logic-rhel8-operator:1.35.0-6	cpe:/a:redhat:openshift_serverless:1.35::el8	RHSA-2025:0664	2025-01-23T00:00:00Z
openshift-serverless-1/logic-swf-builder-rhel8:1.35.0-6	cpe:/a:redhat:openshift_serverless:1.35::el8	RHSA-2025:0664	2025-01-23T00:00:00Z
openshift-serverless-1/logic-swf-devmode-rhel8:1.35.0-6	cpe:/a:redhat:openshift_serverless:1.35::el8	RHSA-2025:0664	2025-01-23T00:00:00Z

No data available yet.

Remediation

No remediation available yet.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-h9mq-f6q5-6c8m	GraphQL Java does not properly consider ExecutableNormalizedFields (ENFs) as part of preventing denial of service

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.1753.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/graphql-java/graphql-java/commit/97743bc1b5caa2b0bd894dc8e128b47e4d771e4a
https://github.com/graphql-java/graphql-java/discussions/3641
https://github.com/graphql-java/graphql-java/pull/3539
https://github.com/graphql-java/graphql-java/releases/tag/v19.11
https://github.com/graphql-java/graphql-java/releases/tag/v20.9
https://github.com/graphql-java/graphql-java/releases/tag/v21.5
https://nvd.nist.gov/vuln/detail/CVE-2024-40094
https://www.cve.org/CVERecord?id=CVE-2024-40094

History

Fri, 28 Mar 2025 15:15:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:/a:redhat:quarkus:3.8::el8

Thu, 13 Feb 2025 00:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat openshift Serverless
CPEs		cpe:/a:redhat:openshift_serverless:1.35::el8
Vendors & Products		Redhat openshift Serverless

Thu, 05 Dec 2024 02:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat quarkus
CPEs		cpe:/a:redhat:quarkus:3.2::el8
Vendors & Products		Redhat quarkus

Wed, 20 Nov 2024 21:15:00 +0000

Type	Values Removed	Values Added
Metrics	cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}`	cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}`

Wed, 23 Oct 2024 02:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat Redhat cryostat
CPEs		cpe:/a:redhat:cryostat:3::el8
Vendors & Products		Redhat Redhat cryostat

Fri, 27 Sep 2024 13:30:00 +0000

Type	Values Removed	Values Added
Title		graphql-java: Allocation of Resources Without Limits or Throttling in GraphQL Java
Weaknesses		CWE-770
References		https://nvd.nist.gov/vuln/detail/CVE-2024-40094 https://www.cve.org/CVERecord?id=CVE-2024-40094
Metrics	threat_severity `None`	cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}` threat_severity `Moderate`

Subscriptions

Redhat Cryostat Openshift Serverless Quarkus

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2024-07-30T00:00:00.000Z

Updated: 2024-11-20T20:13:40.560Z

Reserved: 2024-07-05T00:00:00.000Z

Link: CVE-2024-40094

Vulnrichment

Updated: 2024-08-02T04:33:11.692Z

NVD

Status : Deferred

Published: 2024-07-30T07:15:01.840

Modified: 2026-04-15T00:35:42.020

Link: CVE-2024-40094

Redhat

Severity : Moderate

Publid Date: 2024-07-30T00:00:00Z

Links: CVE-2024-40094 - Bugzilla

OpenCVE Enrichment

No data.

Weaknesses

CWE-770

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object