GraphQL Java (aka graphql-java) before 21.5 does not properly consider ExecutableNormalizedFields (ENFs) as part of preventing denial of service via introspection queries. 20.9 and 19.11 are also fixed versions.

Metrics

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Affected Vendors & Products

Vendors Products
Redhat
  • Cryostat
  • Quarkus

No data.

Package CPE Advisory Released Date
Cryostat 3 on RHEL 8
cryostat-tech-preview/cryostat-db-rhel8:3.0.1-5 cpe:/a:redhat:cryostat:3::el8 RHSA-2024:8329 2024-10-22T00:00:00Z
cryostat-tech-preview/cryostat-grafana-dashboard-rhel8:3.0.1-5 cpe:/a:redhat:cryostat:3::el8 RHSA-2024:8329 2024-10-22T00:00:00Z
cryostat-tech-preview/cryostat-operator-bundle:3.0.1-5 cpe:/a:redhat:cryostat:3::el8 RHSA-2024:8329 2024-10-22T00:00:00Z
cryostat-tech-preview/cryostat-ose-oauth-proxy-rhel8:3.0.1-5 cpe:/a:redhat:cryostat:3::el8 RHSA-2024:8329 2024-10-22T00:00:00Z
cryostat-tech-preview/cryostat-reports-rhel8:3.0.1-5 cpe:/a:redhat:cryostat:3::el8 RHSA-2024:8329 2024-10-22T00:00:00Z
cryostat-tech-preview/cryostat-rhel8:3.0.1-5 cpe:/a:redhat:cryostat:3::el8 RHSA-2024:8329 2024-10-22T00:00:00Z
cryostat-tech-preview/cryostat-rhel8-operator:3.0.1-5 cpe:/a:redhat:cryostat:3::el8 RHSA-2024:8329 2024-10-22T00:00:00Z
cryostat-tech-preview/cryostat-storage-rhel8:3.0.1-5 cpe:/a:redhat:cryostat:3::el8 RHSA-2024:8329 2024-10-22T00:00:00Z
cryostat-tech-preview/jfr-datasource-rhel8:3.0.1-5 cpe:/a:redhat:cryostat:3::el8 RHSA-2024:8329 2024-10-22T00:00:00Z
Red Hat build of Quarkus 3.2
com.graphql-java.graphql-java cpe:/a:redhat:quarkus:3.2::el8 RHSA-2024:7676 2024-10-10T00:00:00Z
References
Link Providers
https://github.com/graphql-java/graphql-java/commit/97743bc1b5caa2b0bd894dc8e128b47e4d771e4a cve-icon cve-icon cve-icon
https://github.com/graphql-java/graphql-java/discussions/3641 cve-icon cve-icon cve-icon
https://github.com/graphql-java/graphql-java/pull/3539 cve-icon cve-icon cve-icon
https://github.com/graphql-java/graphql-java/releases/tag/v19.11 cve-icon cve-icon cve-icon
https://github.com/graphql-java/graphql-java/releases/tag/v20.9 cve-icon cve-icon cve-icon
https://github.com/graphql-java/graphql-java/releases/tag/v21.5 cve-icon cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2024-40094 cve-icon
https://www.cve.org/CVERecord?id=CVE-2024-40094 cve-icon
History

Thu, 05 Dec 2024 02:30:00 +0000

Type Values Removed Values Added
First Time appeared Redhat quarkus
CPEs cpe:/a:redhat:quarkus:3.2::el8
Vendors & Products Redhat quarkus

Wed, 20 Nov 2024 21:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

 cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Wed, 23 Oct 2024 02:30:00 +0000

Type Values Removed Values Added
First Time appeared Redhat
Redhat cryostat
CPEs cpe:/a:redhat:cryostat:3::el8
Vendors & Products Redhat
Redhat cryostat

Fri, 27 Sep 2024 13:30:00 +0000

Type Values Removed Values Added
Title graphql-java: Allocation of Resources Without Limits or Throttling in GraphQL Java
Weaknesses CWE-770
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2024-07-30T00:00:00

Updated: 2024-11-20T20:13:40.560Z

Reserved: 2024-07-05T00:00:00

Link: CVE-2024-40094

cve-icon Vulnrichment

Updated: 2024-08-02T04:33:11.692Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2024-07-30T07:15:01.840

Modified: 2024-11-21T09:30:56.560

Link: CVE-2024-40094

cve-icon Redhat

Severity : Moderate

Publid Date: 2024-07-30T00:00:00Z

Links: CVE-2024-40094 - Bugzilla