GHSA-MH3M-8C74-74XH

Vulnerability from github – Published: 2022-01-27 15:28 – Updated: 2022-01-31 21:59
VLAI?
Summary
Denial of Service in graphql-go
Details

Impact

This is a DoS vulnerability that is possible due to a bug in the library that would allow an attacker with specifically designed queries to cause stack overflow panics. Any user with access to the GraphQL handler can send these queries and cause stack overflows. This in turn could potentially compromise the ability of the server to serve data to its users. To make things worse the only mitigation in affected versions creates opportunities for other attacks. This issue is only available if you are using graphql.MaxDepth option in your schema (which is highly recommended in most cases).

Patches

The issue has been patched in version v1.3.0. We have been trying to maintain backwards compatibility and avoid breaking changes so upgrading should not be problematic.

Workarounds

The best workaround is to patch to a version greater than or equal to v1.3.0. Otherwise, the only workaround in versions prior to v1.3.0 is to disable the graphql.MaxDepth option from your schema. Unfortunately, this could potentially create opportunities for other attacks.

References

There are no references or links. This issue was reported privately and was fixed before creating this Security Advisory.

For more information

If you have any questions or comments feel free to reach out to @pavelnikolov or @tony on the Gopher Slack.

Severity ?
6.5 (Medium)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/graph-gophers/graphql-go"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.3.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-21708"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-01-24T22:42:15Z",
    "nvd_published_at": "2022-01-21T23:15:00Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\nThis is a DoS vulnerability that is possible due to a bug in the library that would allow an attacker with specifically designed queries to cause stack overflow panics. Any user with access to the GraphQL handler can send these queries and cause stack overflows. This in turn could potentially compromise the ability of the server to serve data to its users. To make things worse the only mitigation in affected versions creates opportunities for other attacks. This issue is only available if you are using `graphql.MaxDepth` option in your schema (which is highly recommended in most cases).\n\n### Patches\nThe issue has been patched in version `v1.3.0`. We have been trying to maintain backwards compatibility and avoid breaking changes so upgrading should not be problematic. \n\n### Workarounds\nThe best workaround is to patch to a version greater than or equal to `v1.3.0`. \nOtherwise, the only workaround in versions prior to `v1.3.0` is to disable the `graphql.MaxDepth` option from your schema. Unfortunately, this could potentially create opportunities for other attacks.\n\n### References\nThere are no references or links. This issue was reported privately and was fixed before creating this Security Advisory.\n\n### For more information\nIf you have any questions or comments feel free to reach out to @pavelnikolov or @tony on the Gopher Slack.",
  "id": "GHSA-mh3m-8c74-74xh",
  "modified": "2022-01-31T21:59:33Z",
  "published": "2022-01-27T15:28:06Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/graph-gophers/graphql-go/security/advisories/GHSA-mh3m-8c74-74xh"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-21708"
    },
    {
      "type": "WEB",
      "url": "https://github.com/graph-gophers/graphql-go/commit/eae31ca73eb3473c544710955d1dbebc22605bfe"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/graph-gophers/graphql-go"
    },
    {
      "type": "WEB",
      "url": "https://pkg.go.dev/vuln/GO-2022-0300"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Denial of Service in graphql-go"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.