{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2024-40094", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2024-08-02T04:33:11.692Z", "dateReserved": "2024-07-05T00:00:00", "datePublished": "2024-07-30T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2024-07-30T06:24:07.203520"}, "descriptions": [{"lang": "en", "value": "GraphQL Java (aka graphql-java) before 21.5 does not properly consider ExecutableNormalizedFields (ENFs) as part of preventing denial of service via introspection queries. 20.9 and 19.11 are also fixed versions."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/graphql-java/graphql-java/releases/tag/v21.5"}, {"url": "https://github.com/graphql-java/graphql-java/releases/tag/v20.9"}, {"url": "https://github.com/graphql-java/graphql-java/releases/tag/v19.11"}, {"url": "https://github.com/graphql-java/graphql-java/commit/97743bc1b5caa2b0bd894dc8e128b47e4d771e4a"}, {"url": "https://github.com/graphql-java/graphql-java/discussions/3641"}, {"url": "https://github.com/graphql-java/graphql-java/pull/3539"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-07-30T14:42:03.528958Z", "id": "CVE-2024-40094", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-30T14:42:15.314Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T04:33:11.692Z"}, "title": "CVE Program Container", "references": [{"url": "https://github.com/graphql-java/graphql-java/releases/tag/v21.5", "tags": ["x_transferred"]}, {"url": "https://github.com/graphql-java/graphql-java/releases/tag/v20.9", "tags": ["x_transferred"]}, {"url": "https://github.com/graphql-java/graphql-java/releases/tag/v19.11", "tags": ["x_transferred"]}, {"url": "https://github.com/graphql-java/graphql-java/commit/97743bc1b5caa2b0bd894dc8e128b47e4d771e4a", "tags": ["x_transferred"]}, {"url": "https://github.com/graphql-java/graphql-java/discussions/3641", "tags": ["x_transferred"]}, {"url": "https://github.com/graphql-java/graphql-java/pull/3539", "tags": ["x_transferred"]}]}]}, "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-40094", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-07-30T14:42:03.528958Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-30T14:42:11.908Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://github.com/graphql-java/graphql-java/releases/tag/v21.5"}, {"url": "https://github.com/graphql-java/graphql-java/releases/tag/v20.9"}, {"url": "https://github.com/graphql-java/graphql-java/releases/tag/v19.11"}, {"url": "https://github.com/graphql-java/graphql-java/commit/97743bc1b5caa2b0bd894dc8e128b47e4d771e4a"}, {"url": "https://github.com/graphql-java/graphql-java/discussions/3641"}, {"url": "https://github.com/graphql-java/graphql-java/pull/3539"}], "descriptions": [{"lang": "en", "value": "GraphQL Java (aka graphql-java) before 21.5 does not properly consider ExecutableNormalizedFields (ENFs) as part of preventing denial of service via introspection queries. 20.9 and 19.11 are also fixed versions."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2024-07-30T06:24:07.203520"}}}, "cveMetadata": {"cveId": "CVE-2024-40094", "state": "PUBLISHED", "dateUpdated": "2024-07-30T14:42:15.314Z", "dateReserved": "2024-07-05T00:00:00", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2024-07-30T00:00:00", "assignerShortName": "mitre"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "GraphQL Java (aka graphql-java) before 21.5 does not properly consider ExecutableNormalizedFields (ENFs) as part of preventing denial of service via introspection queries. 20.9 and 19.11 are also fixed versions."}, {"lang": "es", "value": " GraphQL Java (tambi\u00e9n conocido como graphql-java) anterior a 21.5 no considera adecuadamente los ExecutableNormalizedFields (ENF) como parte de la prevenci\u00f3n de la denegaci\u00f3n de servicio mediante consultas de introspecci\u00f3n. 20.9 y 19.11 tambi\u00e9n son versiones fijas."}], "id": "CVE-2024-40094", "lastModified": "2024-07-30T13:32:45.943", "metrics": {}, "published": "2024-07-30T07:15:01.840", "references": [{"source": "cve@mitre.org", "url": "https://github.com/graphql-java/graphql-java/commit/97743bc1b5caa2b0bd894dc8e128b47e4d771e4a"}, {"source": "cve@mitre.org", "url": "https://github.com/graphql-java/graphql-java/discussions/3641"}, {"source": "cve@mitre.org", "url": "https://github.com/graphql-java/graphql-java/pull/3539"}, {"source": "cve@mitre.org", "url": "https://github.com/graphql-java/graphql-java/releases/tag/v19.11"}, {"source": "cve@mitre.org", "url": "https://github.com/graphql-java/graphql-java/releases/tag/v20.9"}, {"source": "cve@mitre.org", "url": "https://github.com/graphql-java/graphql-java/releases/tag/v21.5"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Awaiting Analysis"}

{"affected_release": [{"advisory": "RHSA-2024:8329", "cpe": "cpe:/a:redhat:cryostat:3::el8", "package": "cryostat-tech-preview/cryostat-db-rhel8:3.0.1-5", "product_name": "Cryostat 3 on RHEL 8", "release_date": "2024-10-22T00:00:00Z"}, {"advisory": "RHSA-2024:8329", "cpe": "cpe:/a:redhat:cryostat:3::el8", "package": "cryostat-tech-preview/cryostat-grafana-dashboard-rhel8:3.0.1-5", "product_name": "Cryostat 3 on RHEL 8", "release_date": "2024-10-22T00:00:00Z"}, {"advisory": "RHSA-2024:8329", "cpe": "cpe:/a:redhat:cryostat:3::el8", "package": "cryostat-tech-preview/cryostat-operator-bundle:3.0.1-5", "product_name": "Cryostat 3 on RHEL 8", "release_date": "2024-10-22T00:00:00Z"}, {"advisory": "RHSA-2024:8329", "cpe": "cpe:/a:redhat:cryostat:3::el8", "package": "cryostat-tech-preview/cryostat-ose-oauth-proxy-rhel8:3.0.1-5", "product_name": "Cryostat 3 on RHEL 8", "release_date": "2024-10-22T00:00:00Z"}, {"advisory": "RHSA-2024:8329", "cpe": "cpe:/a:redhat:cryostat:3::el8", "package": "cryostat-tech-preview/cryostat-reports-rhel8:3.0.1-5", "product_name": "Cryostat 3 on RHEL 8", "release_date": "2024-10-22T00:00:00Z"}, {"advisory": "RHSA-2024:8329", "cpe": "cpe:/a:redhat:cryostat:3::el8", "package": "cryostat-tech-preview/cryostat-rhel8:3.0.1-5", "product_name": "Cryostat 3 on RHEL 8", "release_date": "2024-10-22T00:00:00Z"}, {"advisory": "RHSA-2024:8329", "cpe": "cpe:/a:redhat:cryostat:3::el8", "package": "cryostat-tech-preview/cryostat-rhel8-operator:3.0.1-5", "product_name": "Cryostat 3 on RHEL 8", "release_date": "2024-10-22T00:00:00Z"}, {"advisory": "RHSA-2024:8329", "cpe": "cpe:/a:redhat:cryostat:3::el8", "package": "cryostat-tech-preview/cryostat-storage-rhel8:3.0.1-5", "product_name": "Cryostat 3 on RHEL 8", "release_date": "2024-10-22T00:00:00Z"}, {"advisory": "RHSA-2024:8329", "cpe": "cpe:/a:redhat:cryostat:3::el8", "package": "cryostat-tech-preview/jfr-datasource-rhel8:3.0.1-5", "product_name": "Cryostat 3 on RHEL 8", "release_date": "2024-10-22T00:00:00Z"}], "bugzilla": {"description": "graphql-java: Allocation of Resources Without Limits or Throttling in GraphQL Java", "id": "2301456", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2301456"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "verified"}, "cwe": "CWE-770", "details": ["GraphQL Java (aka graphql-java) before 21.5 does not properly consider ExecutableNormalizedFields (ENFs) as part of preventing denial of service via introspection queries. 20.9 and 19.11 are also fixed versions.", "A vulnerability was found in GraphQL Java, affecting versions prior to 21.5. This flaw allows an attacker to perform a denial of service (DoS) attack via introspection queries. The issue arises due to the improper handling of ExecutableNormalizedFields (ENFs), which are not adequately considered during the introspection query process. This issue could lead to resource exhaustion and service disruption under certain conditions."], "name": "CVE-2024-40094", "package_state": [{"cpe": "cpe:/a:redhat:serverless:1", "fix_state": "Affected", "package_name": "com.graphql-java/graphql-java", "product_name": "OpenShift Serverless"}, {"cpe": "cpe:/a:redhat:service_registry:2", "fix_state": "Not affected", "package_name": "com.graphql-java/graphql-java", "product_name": "Red Hat build of Apicurio Registry"}, {"cpe": "cpe:/a:redhat:quarkus:3", "fix_state": "Affected", "package_name": "com.graphql-java.graphql-java", "product_name": "Red Hat build of Quarkus"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Out of support scope", "package_name": "com.graphql-java/graphql-java", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:integration:1", "fix_state": "Out of support scope", "package_name": "com.graphql-java/graphql-java", "product_name": "Red Hat Integration Camel K"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7", "fix_state": "Out of support scope", "package_name": "com.graphql-java/graphql-java", "product_name": "Red Hat JBoss Enterprise Application Platform 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Not affected", "package_name": "com.graphql-java/graphql-java", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Not affected", "package_name": "com.graphql-java/graphql-java", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}], "public_date": "2024-07-30T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-40094\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-40094\nhttps://github.com/graphql-java/graphql-java/commit/97743bc1b5caa2b0bd894dc8e128b47e4d771e4a\nhttps://github.com/graphql-java/graphql-java/discussions/3641\nhttps://github.com/graphql-java/graphql-java/pull/3539\nhttps://github.com/graphql-java/graphql-java/releases/tag/v19.11\nhttps://github.com/graphql-java/graphql-java/releases/tag/v20.9\nhttps://github.com/graphql-java/graphql-java/releases/tag/v21.5"], "threat_severity": "Moderate"}