{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-50311", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "state": "PUBLISHED", "assignerShortName": "redhat", "dateReserved": "2024-10-22T07:15:25.163Z", "datePublished": "2024-10-22T13:24:04.199Z", "dateUpdated": "2024-10-30T18:57:43.207Z"}, "containers": {"cna": {"title": "Graphql: denial of service (dos) vulnerability via graphql batching", "metrics": [{"other": {"content": {"value": "Moderate", "namespace": "https://access.redhat.com/security/updates/classification/"}, "type": "Red Hat severity rating"}}, {"cvssV3_0": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.0"}, "format": "CVSS"}], "descriptions": [{"lang": "en", "value": "A denial of service (DoS) vulnerability was found in OpenShift. This flaw allows attackers to exploit the GraphQL batching functionality. The vulnerability arises when multiple queries can be sent within a single request, enabling an attacker to submit a request containing thousands of aliases in one query. This issue causes excessive resource consumption, leading to application unavailability for legitimate users."}], "affected": [{"vendor": "Red Hat", "product": "Red Hat OpenShift Container Platform 4", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "openshift4/ose-console", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:openshift:4"]}], "references": [{"url": "https://access.redhat.com/security/cve/CVE-2024-50311", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2319379", "name": "RHBZ#2319379", "tags": ["issue-tracking", "x_refsource_REDHAT"]}], "datePublic": "2024-10-17T13:16:49.327000+00:00", "problemTypes": [{"descriptions": [{"cweId": "CWE-400", "description": "Uncontrolled Resource Consumption", "lang": "en", "type": "CWE"}]}], "x_redhatCweChain": "CWE-400: Uncontrolled Resource Consumption", "timeline": [{"lang": "en", "time": "2024-10-17T12:33:51.373000+00:00", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2024-10-17T13:16:49.327000+00:00", "value": "Made public."}], "credits": [{"lang": "en", "value": "Red Hat would like to thank Maksymilian Kubiak (AFINE), Pawe\u0142 Zdunek (AFINE), and S\u0142awomir Zakrzewski (AFINE) for reporting this issue."}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2024-10-30T18:57:43.207Z"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-10-22T15:43:27.683347Z", "id": "CVE-2024-50311", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-22T15:43:43.098Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-50311", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-10-22T15:43:27.683347Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-22T15:43:38.993Z"}}], "cna": {"title": "Graphql: denial of service (dos) vulnerability via graphql batching", "credits": [{"lang": "en", "value": "Red Hat would like to thank Maksymilian Kubiak (AFINE), Pawe\u0142 Zdunek (AFINE), and S\u0142awomir Zakrzewski (AFINE) for reporting this issue."}], "metrics": [{"other": {"type": "Red Hat severity rating", "content": {"value": "Moderate", "namespace": "https://access.redhat.com/security/updates/classification/"}}}, {"format": "CVSS", "cvssV3_0": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}], "affected": [{"cpes": ["cpe:/a:redhat:openshift:4"], "vendor": "Red Hat", "product": "Red Hat OpenShift Container Platform 4", "packageName": "openshift4/ose-console", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}], "timeline": [{"lang": "en", "time": "2024-10-17T12:33:51.373000+00:00", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2024-10-17T13:16:49.327000+00:00", "value": "Made public."}], "datePublic": "2024-10-17T13:16:49.327000+00:00", "references": [{"url": "https://access.redhat.com/security/cve/CVE-2024-50311", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2319379", "name": "RHBZ#2319379", "tags": ["issue-tracking", "x_refsource_REDHAT"]}], "descriptions": [{"lang": "en", "value": "A denial of service (DoS) vulnerability was found in OpenShift. This flaw allows attackers to exploit the GraphQL batching functionality. The vulnerability arises when multiple queries can be sent within a single request, enabling an attacker to submit a request containing thousands of aliases in one query. This issue causes excessive resource consumption, leading to application unavailability for legitimate users."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-400", "description": "Uncontrolled Resource Consumption"}]}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2024-10-30T18:57:43.207Z"}, "x_redhatCweChain": "CWE-400: Uncontrolled Resource Consumption"}}, "cveMetadata": {"cveId": "CVE-2024-50311", "state": "PUBLISHED", "dateUpdated": "2024-10-30T18:57:43.207Z", "dateReserved": "2024-10-22T07:15:25.163Z", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "datePublished": "2024-10-22T13:24:04.199Z", "assignerShortName": "redhat"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:openshift_container_platform:4.0:*:*:*:*:*:*:*", "matchCriteriaId": "932D137F-528B-4526-9A89-CD59FA1AB0FE", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A denial of service (DoS) vulnerability was found in OpenShift. This flaw allows attackers to exploit the GraphQL batching functionality. The vulnerability arises when multiple queries can be sent within a single request, enabling an attacker to submit a request containing thousands of aliases in one query. This issue causes excessive resource consumption, leading to application unavailability for legitimate users."}, {"lang": "es", "value": " Se encontr\u00f3 una vulnerabilidad de denegaci\u00f3n de servicio (DoS) en OpenShift. Este fallo permite a los atacantes explotar la funcionalidad de procesamiento por lotes de GraphQL. La vulnerabilidad surge cuando se pueden enviar m\u00faltiples consultas dentro de una sola solicitud, lo que permite a un atacante enviar una solicitud que contiene miles de alias en una sola consulta. Este problema provoca un consumo excesivo de recursos, lo que lleva a que la aplicaci\u00f3n no est\u00e9 disponible para los usuarios leg\u00edtimos."}], "id": "CVE-2024-50311", "lastModified": "2024-10-30T18:39:40.617", "metrics": {"cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "secalert@redhat.com", "type": "Secondary"}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-10-22T14:15:19.450", "references": [{"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/security/cve/CVE-2024-50311"}, {"source": "secalert@redhat.com", "tags": ["Issue Tracking"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2319379"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-770"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-400"}], "source": "secalert@redhat.com", "type": "Secondary"}]}

{"acknowledgement": "Red Hat would like to thank Maksymilian Kubiak (AFINE), Pawe\u0142 Zdunek (AFINE), and S\u0142awomir Zakrzewski (AFINE) for reporting this issue.", "bugzilla": {"description": "GraphQL: Denial of Service (DoS) vulnerability via GraphQL Batching", "id": "2319379", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2319379"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.5", "cvss3_scoring_vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-400", "details": ["A denial of service (DoS) vulnerability was found in OpenShift. This flaw allows attackers to exploit the GraphQL batching functionality. The vulnerability arises when multiple queries can be sent within a single request, enabling an attacker to submit a request containing thousands of aliases in one query. This issue causes excessive resource consumption, leading to application unavailability for legitimate users.", "A denial of service (DoS) vulnerability was found in OpenShift. This flaw allows attackers to exploit the GraphQL batching functionality. The vulnerability arises when multiple queries can be sent within a single request, enabling an attacker to submit a request containing thousands of aliases in one query. This issue causes excessive resource consumption, leading to application unavailability for legitimate users."], "name": "CVE-2024-50311", "package_state": [{"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "openshift4/ose-console", "product_name": "Red Hat OpenShift Container Platform 4"}], "public_date": "2024-10-17T13:16:49Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-50311\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-50311"], "threat_severity": "Moderate"}