Lookup for vulnerable packages by Package URL.
| Purl | pkg:maven/edu.gemini/gsp-graphql-core_3@0.14.0 |
|---|
| Type | maven |
|---|
| Namespace | edu.gemini |
|---|
| Name | gsp-graphql-core_3 |
|---|
| Version | 0.14.0 |
|---|
| Qualifiers |
|
|---|
| Subpath | |
|---|
| Is_vulnerable | true |
|---|
| Next_non_vulnerable_version | null |
|---|
| Latest_non_vulnerable_version | null |
|---|
| Affected_by_vulnerabilities |
| 0 |
| url |
VCID-dfhj-eq1n-1fhr |
| vulnerability_id |
VCID-dfhj-eq1n-1fhr |
| summary |
Grackle has StackOverflowError in GraphQL query processing
### Impact
Prior to this fix, the GraphQL query parsing was vulnerable to `StackOverflowError`s. The possibility of small queries resulting in stack overflow is a potential denial of service vulnerability.
This potentially affects all applications using Grackle which have untrusted users.
> [!CAUTION]
> **No specific knowledge of an application's GraphQL schema would be required to construct a pathological query.**
### Patches
The stack overflow issues have been resolved in the v0.18.0 release of Grackle.
### Workarounds
Users could interpose a sanitizing layer in between untrusted input and Grackle query processing. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2023-50730, GHSA-g56x-7j6w-g8r8
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-dfhj-eq1n-1fhr |
|
|
|---|
| Fixing_vulnerabilities |
|
|---|
| Risk_score | null |
|---|
| Resource_url | http://public2.vulnerablecode.io/packages/pkg:maven/edu.gemini/gsp-graphql-core_3@0.14.0 |
|---|