CVE-2023-28867 - Vulnerability Details

Vendors	Products
Graphql-java	Graphql-java
Redhat	Quarkus Service Registry

Package	CPE	Advisory	Released Date
Red Hat build of Quarkus 2.13.8.Final
com.graphql-java/graphql-java:19.4.0.redhat-00001	cpe:/a:redhat:quarkus:2.13::el8	RHSA-2023:3809	2023-06-29T00:00:00Z
RHINT Service Registry 2.4.3 GA
graphql-java	cpe:/a:redhat:service_registry:2.4	RHSA-2023:3815	2023-06-27T00:00:00Z

Link	Providers
https://github.com/graphql-java/graphql-java/pull/3112
https://github.com/graphql-java/graphql-java/releases/tag/v17.5
https://github.com/graphql-java/graphql-java/releases/tag/v18.4
https://github.com/graphql-java/graphql-java/releases/tag/v19.4
https://github.com/graphql-java/graphql-java/releases/tag/v20.1
https://nvd.nist.gov/vuln/detail/CVE-2023-28867
https://www.cve.org/CVERecord?id=CVE-2023-28867

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Show plain JSON

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2023-28867", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2025-02-19T15:25:51.090Z", "dateReserved": "2023-03-27T00:00:00.000Z", "datePublished": "2023-03-27T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2023-03-27T00:00:00.000Z"}, "descriptions": [{"lang": "en", "value": "In GraphQL Java (aka graphql-java) before 20.1, an attacker can send a crafted GraphQL query that causes stack consumption. The fixed versions are 20.1, 19.4, 18.4, 17.5, and 0.0.0-2023-03-20T01-49-44-80e3135."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/graphql-java/graphql-java/pull/3112"}, {"url": "https://github.com/graphql-java/graphql-java/releases/tag/v17.5"}, {"url": "https://github.com/graphql-java/graphql-java/releases/tag/v18.4"}, {"url": "https://github.com/graphql-java/graphql-java/releases/tag/v19.4"}, {"url": "https://github.com/graphql-java/graphql-java/releases/tag/v20.1"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T13:51:38.550Z"}, "title": "CVE Program Container", "references": [{"url": "https://github.com/graphql-java/graphql-java/pull/3112", "tags": ["x_transferred"]}, {"url": "https://github.com/graphql-java/graphql-java/releases/tag/v17.5", "tags": ["x_transferred"]}, {"url": "https://github.com/graphql-java/graphql-java/releases/tag/v18.4", "tags": ["x_transferred"]}, {"url": "https://github.com/graphql-java/graphql-java/releases/tag/v19.4", "tags": ["x_transferred"]}, {"url": "https://github.com/graphql-java/graphql-java/releases/tag/v20.1", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-02-19T15:25:05.702767Z", "id": "CVE-2023-28867", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-19T15:25:51.090Z"}}]}}

{

dataType : CVE_RECORD (string)

dataVersion : 5.1 (string)

cveMetadata : { »

state : PUBLISHED (string)

cveId : CVE-2023-28867 (string)

assignerOrgId : 8254265b-2729-46b6-b9e3-3dfca2d5bfca (string)

assignerShortName : mitre (string)

dateUpdated : 2025-02-19T15:25:51.090Z (string)

dateReserved : 2023-03-27T00:00:00.000Z (string)

datePublished : 2023-03-27T00:00:00.000Z (string)

}

containers : { »

cna : { »

providerMetadata : { »

orgId : 8254265b-2729-46b6-b9e3-3dfca2d5bfca (string)

shortName : mitre (string)

dateUpdated : 2023-03-27T00:00:00.000Z (string)

}

descriptions : [ »

0 : { »

lang : en (string)

value : In GraphQL Java (aka graphql-java) before 20.1, an attacker can send a crafted GraphQL query that causes stack consumption. The fixed versions are 20.1, 19.4, 18.4, 17.5, and 0.0.0-2023-03-20T01-49-44-80e3135. (string)

}

]

affected : [ »

0 : { »

vendor : n/a (string)

product : n/a (string)

versions : [ »

0 : { »

version : n/a (string)

status : affected (string)

}

]

}

]

references : [ »

0 : { »

url : https://github.com/graphql-java/graphql-java/pull/3112 (string)

}

1 : { »

url : https://github.com/graphql-java/graphql-java/releases/tag/v17.5 (string)

}

2 : { »

url : https://github.com/graphql-java/graphql-java/releases/tag/v18.4 (string)

}

3 : { »

url : https://github.com/graphql-java/graphql-java/releases/tag/v19.4 (string)

}

4 : { »

url : https://github.com/graphql-java/graphql-java/releases/tag/v20.1 (string)

}

]

problemTypes : [ »

0 : { »

descriptions : [ »

0 : { »

type : text (string)

lang : en (string)

description : n/a (string)

}

]

}

]

}

adp : [ »

0 : { »

providerMetadata : { »

orgId : af854a3a-2127-422b-91ae-364da2661108 (string)

shortName : CVE (string)

dateUpdated : 2024-08-02T13:51:38.550Z (string)

}

title : CVE Program Container (string)

references : [ »

0 : { »

url : https://github.com/graphql-java/graphql-java/pull/3112 (string)

tags : [ »

0 : x_transferred (string)

]

}

1 : { »

url : https://github.com/graphql-java/graphql-java/releases/tag/v17.5 (string)

tags : [ »

0 : x_transferred (string)

]

}

2 : { »

url : https://github.com/graphql-java/graphql-java/releases/tag/v18.4 (string)

tags : [ »

0 : x_transferred (string)

]

}

3 : { »

url : https://github.com/graphql-java/graphql-java/releases/tag/v19.4 (string)

tags : [ »

0 : x_transferred (string)

]

}

4 : { »

url : https://github.com/graphql-java/graphql-java/releases/tag/v20.1 (string)

tags : [ »

0 : x_transferred (string)

]

}

]

}

1 : { »

metrics : [ »

0 : { »

other : { »

type : ssvc (string)

content : { »

timestamp : 2025-02-19T15:25:05.702767Z (string)

id : CVE-2023-28867 (string)

options : [ »

0 : { »

Exploitation : none (string)

}

1 : { »

Automatable : yes (string)

}

2 : { »

Technical Impact : partial (string)

}

]

role : CISA Coordinator (string)

version : 2.0.3 (string)

}

]

title : CISA ADP Vulnrichment (string)

providerMetadata : { »

orgId : 134c704f-9b21-4f2e-91b3-4a467353bcc0 (string)

shortName : CISA-ADP (string)

dateUpdated : 2025-02-19T15:25:51.090Z (string)

}

]

}

Show plain JSON

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/graphql-java/graphql-java/pull/3112", "tags": ["x_transferred"]}, {"url": "https://github.com/graphql-java/graphql-java/releases/tag/v17.5", "tags": ["x_transferred"]}, {"url": "https://github.com/graphql-java/graphql-java/releases/tag/v18.4", "tags": ["x_transferred"]}, {"url": "https://github.com/graphql-java/graphql-java/releases/tag/v19.4", "tags": ["x_transferred"]}, {"url": "https://github.com/graphql-java/graphql-java/releases/tag/v20.1", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T13:51:38.550Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-28867", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-02-19T15:25:05.702767Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-19T15:25:45.929Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://github.com/graphql-java/graphql-java/pull/3112"}, {"url": "https://github.com/graphql-java/graphql-java/releases/tag/v17.5"}, {"url": "https://github.com/graphql-java/graphql-java/releases/tag/v18.4"}, {"url": "https://github.com/graphql-java/graphql-java/releases/tag/v19.4"}, {"url": "https://github.com/graphql-java/graphql-java/releases/tag/v20.1"}], "descriptions": [{"lang": "en", "value": "In GraphQL Java (aka graphql-java) before 20.1, an attacker can send a crafted GraphQL query that causes stack consumption. The fixed versions are 20.1, 19.4, 18.4, 17.5, and 0.0.0-2023-03-20T01-49-44-80e3135."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2023-03-27T00:00:00.000Z"}}}, "cveMetadata": {"cveId": "CVE-2023-28867", "state": "PUBLISHED", "dateUpdated": "2025-02-19T15:25:51.090Z", "dateReserved": "2023-03-27T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2023-03-27T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.1"}

{

dataType : CVE_RECORD (string)

containers : { »

adp : [ »

0 : { »

title : CVE Program Container (string)

references : [ »

0 : { »

url : https://github.com/graphql-java/graphql-java/pull/3112 (string)

tags : [ »

0 : x_transferred (string)

]

}

1 : { »

url : https://github.com/graphql-java/graphql-java/releases/tag/v17.5 (string)

tags : [ »

0 : x_transferred (string)

]

}

2 : { »

url : https://github.com/graphql-java/graphql-java/releases/tag/v18.4 (string)

tags : [ »

0 : x_transferred (string)

]

}

3 : { »

url : https://github.com/graphql-java/graphql-java/releases/tag/v19.4 (string)

tags : [ »

0 : x_transferred (string)

]

}

4 : { »

url : https://github.com/graphql-java/graphql-java/releases/tag/v20.1 (string)

tags : [ »

0 : x_transferred (string)

]

}

]

providerMetadata : { »

orgId : af854a3a-2127-422b-91ae-364da2661108 (string)

shortName : CVE (string)

dateUpdated : 2024-08-02T13:51:38.550Z (string)

}

1 : { »

title : CISA ADP Vulnrichment (string)

metrics : [ »

0 : { »

other : { »

type : ssvc (string)

content : { »

id : CVE-2023-28867 (string)

role : CISA Coordinator (string)

options : [ »

0 : { »

Exploitation : none (string)

}

1 : { »

Automatable : yes (string)

}

2 : { »

Technical Impact : partial (string)

}

]

version : 2.0.3 (string)

timestamp : 2025-02-19T15:25:05.702767Z (string)

}

]

providerMetadata : { »

orgId : 134c704f-9b21-4f2e-91b3-4a467353bcc0 (string)

shortName : CISA-ADP (string)

dateUpdated : 2025-02-19T15:25:45.929Z (string)

}

]

cna : { »

affected : [ »

0 : { »

vendor : n/a (string)

product : n/a (string)

versions : [ »

0 : { »

status : affected (string)

version : n/a (string)

}

]

}

]

references : [ »

0 : { »

url : https://github.com/graphql-java/graphql-java/pull/3112 (string)

}

1 : { »

url : https://github.com/graphql-java/graphql-java/releases/tag/v17.5 (string)

}

2 : { »

url : https://github.com/graphql-java/graphql-java/releases/tag/v18.4 (string)

}

3 : { »

url : https://github.com/graphql-java/graphql-java/releases/tag/v19.4 (string)

}

4 : { »

url : https://github.com/graphql-java/graphql-java/releases/tag/v20.1 (string)

}

]

descriptions : [ »

0 : { »

lang : en (string)

value : In GraphQL Java (aka graphql-java) before 20.1, an attacker can send a crafted GraphQL query that causes stack consumption. The fixed versions are 20.1, 19.4, 18.4, 17.5, and 0.0.0-2023-03-20T01-49-44-80e3135. (string)

}

]

problemTypes : [ »

0 : { »

descriptions : [ »

0 : { »

lang : en (string)

type : text (string)

description : n/a (string)

}

]

}

]

providerMetadata : { »

orgId : 8254265b-2729-46b6-b9e3-3dfca2d5bfca (string)

shortName : mitre (string)

dateUpdated : 2023-03-27T00:00:00.000Z (string)

}

cveMetadata : { »

cveId : CVE-2023-28867 (string)

state : PUBLISHED (string)

dateUpdated : 2025-02-19T15:25:51.090Z (string)

dateReserved : 2023-03-27T00:00:00.000Z (string)

assignerOrgId : 8254265b-2729-46b6-b9e3-3dfca2d5bfca (string)

datePublished : 2023-03-27T00:00:00.000Z (string)

assignerShortName : mitre (string)

}

dataVersion : 5.1 (string)

}

Show plain JSON

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:graphql-java:graphql-java:*:*:*:*:*:*:*:*", "matchCriteriaId": "69FCAB99-DF08-4B03-9FBC-9621BF9C0820", "versionEndExcluding": "17.5", "vulnerable": true}, {"criteria": "cpe:2.3:a:graphql-java:graphql-java:*:*:*:*:*:*:*:*", "matchCriteriaId": "5A5880A2-BC5A-48B3-9916-91CA7DA48C48", "versionEndExcluding": "18.4", "versionStartIncluding": "18.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:graphql-java:graphql-java:*:*:*:*:*:*:*:*", "matchCriteriaId": "45943F35-6801-451B-BC93-0FF9533290BD", "versionEndExcluding": "19.4", "versionStartIncluding": "19.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:graphql-java:graphql-java:20.0:*:*:*:*:*:*:*", "matchCriteriaId": "9A9F6EBC-5C0B-4816-949E-E3AD77343984", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "In GraphQL Java (aka graphql-java) before 20.1, an attacker can send a crafted GraphQL query that causes stack consumption. The fixed versions are 20.1, 19.4, 18.4, 17.5, and 0.0.0-2023-03-20T01-49-44-80e3135."}], "id": "CVE-2023-28867", "lastModified": "2024-11-21T07:56:11.547", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-03-27T01:15:07.413", "references": [{"source": "cve@mitre.org", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/graphql-java/graphql-java/pull/3112"}, {"source": "cve@mitre.org", "tags": ["Release Notes"], "url": "https://github.com/graphql-java/graphql-java/releases/tag/v17.5"}, {"source": "cve@mitre.org", "tags": ["Release Notes"], "url": "https://github.com/graphql-java/graphql-java/releases/tag/v18.4"}, {"source": "cve@mitre.org", "tags": ["Release Notes"], "url": "https://github.com/graphql-java/graphql-java/releases/tag/v19.4"}, {"source": "cve@mitre.org", "tags": ["Release Notes"], "url": "https://github.com/graphql-java/graphql-java/releases/tag/v20.1"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/graphql-java/graphql-java/pull/3112"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes"], "url": "https://github.com/graphql-java/graphql-java/releases/tag/v17.5"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes"], "url": "https://github.com/graphql-java/graphql-java/releases/tag/v18.4"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes"], "url": "https://github.com/graphql-java/graphql-java/releases/tag/v19.4"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes"], "url": "https://github.com/graphql-java/graphql-java/releases/tag/v20.1"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-770"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{

configurations : [ »

0 : { »

nodes : [ »

0 : { »

cpeMatch : [ »

0 : { »

criteria : cpe:2.3:a:graphql-java:graphql-java:*:*:*:*:*:*:*:* (string)

matchCriteriaId : 69FCAB99-DF08-4B03-9FBC-9621BF9C0820 (string)

versionEndExcluding : 17.5 (string)

vulnerable : true (boolean)

}

1 : { »

criteria : cpe:2.3:a:graphql-java:graphql-java:*:*:*:*:*:*:*:* (string)

matchCriteriaId : 5A5880A2-BC5A-48B3-9916-91CA7DA48C48 (string)

versionEndExcluding : 18.4 (string)

versionStartIncluding : 18.0 (string)

vulnerable : true (boolean)

}

2 : { »

criteria : cpe:2.3:a:graphql-java:graphql-java:*:*:*:*:*:*:*:* (string)

matchCriteriaId : 45943F35-6801-451B-BC93-0FF9533290BD (string)

versionEndExcluding : 19.4 (string)

versionStartIncluding : 19.0 (string)

vulnerable : true (boolean)

}

3 : { »

criteria : cpe:2.3:a:graphql-java:graphql-java:20.0:*:*:*:*:*:*:* (string)

matchCriteriaId : 9A9F6EBC-5C0B-4816-949E-E3AD77343984 (string)

vulnerable : true (boolean)

}

]

negate : false (boolean)

operator : OR (string)

}

]

}

]

descriptions : [ »

0 : { »

lang : en (string)

value : In GraphQL Java (aka graphql-java) before 20.1, an attacker can send a crafted GraphQL query that causes stack consumption. The fixed versions are 20.1, 19.4, 18.4, 17.5, and 0.0.0-2023-03-20T01-49-44-80e3135. (string)

}

]

id : CVE-2023-28867 (string)

lastModified : 2024-11-21T07:56:11.547 (string)

metrics : { »

cvssMetricV31 : [ »

0 : { »

cvssData : { »

attackComplexity : LOW (string)

attackVector : NETWORK (string)

availabilityImpact : HIGH (string)

baseScore : 7.5 (number)

baseSeverity : HIGH (string)

confidentialityImpact : NONE (string)

integrityImpact : NONE (string)

privilegesRequired : NONE (string)

scope : UNCHANGED (string)

userInteraction : NONE (string)

vectorString : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (string)

version : 3.1 (string)

}

exploitabilityScore : 3.9 (number)

impactScore : 3.6 (number)

source : nvd@nist.gov (string)

type : Primary (string)

}

]

}

published : 2023-03-27T01:15:07.413 (string)

references : [ »

0 : { »

source : cve@mitre.org (string)

tags : [ »

0 : Issue Tracking (string)

1 : Patch (string)

]

url : https://github.com/graphql-java/graphql-java/pull/3112 (string)

}

1 : { »

source : cve@mitre.org (string)

tags : [ »

0 : Release Notes (string)

]

url : https://github.com/graphql-java/graphql-java/releases/tag/v17.5 (string)

}

2 : { »

source : cve@mitre.org (string)

tags : [ »

0 : Release Notes (string)

]

url : https://github.com/graphql-java/graphql-java/releases/tag/v18.4 (string)

}

3 : { »

source : cve@mitre.org (string)

tags : [ »

0 : Release Notes (string)

]

url : https://github.com/graphql-java/graphql-java/releases/tag/v19.4 (string)

}

4 : { »

source : cve@mitre.org (string)

tags : [ »

0 : Release Notes (string)

]

url : https://github.com/graphql-java/graphql-java/releases/tag/v20.1 (string)

}

5 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

tags : [ »

0 : Issue Tracking (string)

1 : Patch (string)

]

url : https://github.com/graphql-java/graphql-java/pull/3112 (string)

}

6 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

tags : [ »

0 : Release Notes (string)

]

url : https://github.com/graphql-java/graphql-java/releases/tag/v17.5 (string)

}

7 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

tags : [ »

0 : Release Notes (string)

]

url : https://github.com/graphql-java/graphql-java/releases/tag/v18.4 (string)

}

8 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

tags : [ »

0 : Release Notes (string)

]

url : https://github.com/graphql-java/graphql-java/releases/tag/v19.4 (string)

}

9 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

tags : [ »

0 : Release Notes (string)

]

url : https://github.com/graphql-java/graphql-java/releases/tag/v20.1 (string)

}

]

sourceIdentifier : cve@mitre.org (string)

vulnStatus : Modified (string)

weaknesses : [ »

0 : { »

description : [ »

0 : { »

lang : en (string)

value : CWE-770 (string)

}

]

source : nvd@nist.gov (string)

type : Primary (string)

}

]

}

Show plain JSON

{"affected_release": [{"advisory": "RHSA-2023:3809", "cpe": "cpe:/a:redhat:quarkus:2.13::el8", "package": "com.graphql-java/graphql-java:19.4.0.redhat-00001", "product_name": "Red Hat build of Quarkus 2.13.8.Final", "release_date": "2023-06-29T00:00:00Z"}, {"advisory": "RHSA-2023:3815", "cpe": "cpe:/a:redhat:service_registry:2.4", "package": "graphql-java", "product_name": "RHINT Service Registry 2.4.3 GA", "release_date": "2023-06-27T00:00:00Z"}], "bugzilla": {"description": "graphql-java: crafted GraphQL query causes stack consumption", "id": "2181977", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2181977"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "verified"}, "cwe": "CWE-20", "details": ["In GraphQL Java (aka graphql-java) before 20.1, an attacker can send a crafted GraphQL query that causes stack consumption. The fixed versions are 20.1, 19.4, 18.4, 17.5, and 0.0.0-2023-03-20T01-49-44-80e3135.", "A flaw was found in GraphQL Java. This issue may allow a malicious user to send a crafted GraphQL query that causes stack consumption, causing a denial of service."], "name": "CVE-2023-28867", "package_state": [{"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Not affected", "package_name": "graphql-java", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:integration:1", "fix_state": "Will not fix", "package_name": "graphql-java", "product_name": "Red Hat Integration Camel K 1"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7", "fix_state": "Not affected", "package_name": "graphql-java", "product_name": "Red Hat JBoss Enterprise Application Platform 7"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Not affected", "package_name": "graphql-java", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:openshift_application_runtimes:1.0", "fix_state": "Will not fix", "package_name": "graphql-java", "product_name": "Red Hat OpenShift Application Runtimes"}], "public_date": "2023-03-27T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-28867\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-28867"], "threat_severity": "Moderate"}

{

affected_release : [ »

0 : { »

advisory : RHSA-2023:3809 (string)

cpe : cpe:/a:redhat:quarkus:2.13::el8 (string)

package : com.graphql-java/graphql-java:19.4.0.redhat-00001 (string)

product_name : Red Hat build of Quarkus 2.13.8.Final (string)

release_date : 2023-06-29T00:00:00Z (string)

}

1 : { »

advisory : RHSA-2023:3815 (string)

cpe : cpe:/a:redhat:service_registry:2.4 (string)

package : graphql-java (string)

product_name : RHINT Service Registry 2.4.3 GA (string)

release_date : 2023-06-27T00:00:00Z (string)

}

]

bugzilla : { »

description : graphql-java: crafted GraphQL query causes stack consumption (string)

id : 2181977 (string)

url : https://bugzilla.redhat.com/show_bug.cgi?id=2181977 (string)

}

csaw : false (boolean)

cvss3 : { »

cvss3_base_score : 7.5 (string)

cvss3_scoring_vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (string)

status : verified (string)

}

cwe : CWE-20 (string)

details : [ »

0 : In GraphQL Java (aka graphql-java) before 20.1, an attacker can send a crafted GraphQL query that causes stack consumption. The fixed versions are 20.1, 19.4, 18.4, 17.5, and 0.0.0-2023-03-20T01-49-44-80e3135. (string)

1 : A flaw was found in GraphQL Java. This issue may allow a malicious user to send a crafted GraphQL query that causes stack consumption, causing a denial of service. (string)

]

name : CVE-2023-28867 (string)

package_state : [ »

0 : { »

cpe : cpe:/a:redhat:jboss_fuse:7 (string)

fix_state : Not affected (string)

package_name : graphql-java (string)

product_name : Red Hat Fuse 7 (string)

}

1 : { »

cpe : cpe:/a:redhat:integration:1 (string)

fix_state : Will not fix (string)

package_name : graphql-java (string)

product_name : Red Hat Integration Camel K 1 (string)

}

2 : { »

cpe : cpe:/a:redhat:jboss_enterprise_application_platform:7 (string)

fix_state : Not affected (string)

package_name : graphql-java (string)

product_name : Red Hat JBoss Enterprise Application Platform 7 (string)

}

3 : { »

cpe : cpe:/a:redhat:jbosseapxp (string)

fix_state : Not affected (string)

package_name : graphql-java (string)

product_name : Red Hat JBoss Enterprise Application Platform Expansion Pack (string)

}

4 : { »

cpe : cpe:/a:redhat:openshift_application_runtimes:1.0 (string)

fix_state : Will not fix (string)

package_name : graphql-java (string)

product_name : Red Hat OpenShift Application Runtimes (string)

}

]

public_date : 2023-03-27T00:00:00Z (string)

references : [ »

0 : https://www.cve.org/CVERecord?id=CVE-2023-28867 https://nvd.nist.gov/vuln/detail/CVE-2023-28867 (string)

]

threat_severity : Moderate (string)

}

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Affected Vendors & Products

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object