CVE-2023-28867

Source
https://cve.org/CVERecord?id=CVE-2023-28867
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-28867.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2023-28867
Aliases
Published
2023-03-27T01:15:07.413Z
Modified
2026-04-12T01:01:19.983052Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
[none]
Details

In GraphQL Java (aka graphql-java) before 20.1, an attacker can send a crafted GraphQL query that causes stack consumption. The fixed versions are 20.1, 19.4, 18.4, 17.5, and 0.0.0-2023-03-20T01-49-44-80e3135.

References

Affected packages

Git / github.com/graphql-java/graphql-java

Affected ranges

Type
GIT
Repo
https://github.com/graphql-java/graphql-java
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Introduced
Fixed
Introduced
Fixed
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
Fixed
Database specific
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "17.5"
        },
        {
            "introduced": "18.0"
        },
        {
            "fixed": "18.4"
        },
        {
            "introduced": "19.0"
        },
        {
            "fixed": "19.4"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "20.0"
        }
    ]
}

Affected versions

12.*
12.0
v1.*
v1.0
v1.2
v1.3
v10.*
v10.0
v11.*
v11.0
v12.*
v12.0
v13.*
v13.0
v14.*
v14.0
v15.*
v15.0
v16.*
v16.0
v16.1
v16.2
v17.*
v17.0
v17.0-beta1
v17.0.0-beta1
v17.2
v17.3
v17.4
v18.*
v18.0
v18.1
v18.2
v18.3
v19.*
v19.0
v19.1
v19.2
v19.3
v2.*
v2.0.0
v2.1.0
v2.2.0
v2.3.0
v2.4.0
v20.*
v20.0
v3.*
v3.0.0
v4.*
v4.0
v5.*
v5.0
v6.*
v6.0
v7.*
v7.0
v8.*
v8.0
v9.*
v9.0
v9.1
v9.7

Database specific

vanir_signatures
[
    {
        "digest": {
            "length": 307.0,
            "function_hash": "107096461883321427489822662467714116337"
        },
        "target": {
            "file": "src/main/java/graphql/parser/ParserOptions.java",
            "function": "ParserOptions"
        },
        "id": "CVE-2023-28867-1736e906",
        "signature_version": "v1",
        "deprecated": false,
        "signature_type": "Function",
        "source": "https://github.com/graphql-java/graphql-java/commit/354bcc355549ef12661d6064ea51a6d4bf20a66c"
    },
    {
        "digest": {
            "length": 358.0,
            "function_hash": "100845729788637426848026172177383082905"
        },
        "target": {
            "file": "src/main/java/graphql/parser/ParserOptions.java",
            "function": "ParserOptions"
        },
        "id": "CVE-2023-28867-19cdfb73",
        "signature_version": "v1",
        "deprecated": false,
        "signature_type": "Function",
        "source": "https://github.com/graphql-java/graphql-java/commit/1f905d8f5a3343da9abe4522fd145de0c319cd4e"
    },
    {
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "39810464262704892563754871815532813521",
                "165316501559607190669458288237610334983",
                "35627563051055791000991564642591742903",
                "85864436817746415041247927113798442401",
                "195441864188803098178798547537929523495",
                "314200291007238960926406327039413550096",
                "2127094700740136968549541663906775223",
                "28942720981026645879105330121937594024",
                "272522729430044705388557687013535291055",
                "172789081020780669056385575504369089135",
                "161592308228573192425130653597497272963",
                "257847696003878904167856234595939976703",
                "141910194616282832636274588007449179038",
                "162422351709377277282648183380178364570",
                "21155586188270923203314999408382070740",
                "309845019958237845687328390800258670777",
                "246411222746214166054943456370084211513",
                "139401985562583892647158600779005865766",
                "98613602508669690155841914830461295674",
                "173929424783329993414352835442163758801",
                "116288404727165704069435834778300964690",
                "181592668769941648756421579526410470597",
                "129219553652390940259631823603094050067",
                "17134766956120441703558036634847004569",
                "39180133892455427899885815116562769428",
                "175491334008586020041722886027116860139",
                "178141823269753667453735617479298620831"
            ]
        },
        "target": {
            "file": "src/main/java/graphql/parser/Parser.java"
        },
        "id": "CVE-2023-28867-25be4ec1",
        "signature_version": "v1",
        "deprecated": false,
        "signature_type": "Line",
        "source": "https://github.com/graphql-java/graphql-java/commit/1f905d8f5a3343da9abe4522fd145de0c319cd4e"
    },
    {
        "digest": {
            "length": 2029.0,
            "function_hash": "131367469637499662514152788039785718873"
        },
        "target": {
            "file": "src/main/java/graphql/parser/Parser.java",
            "function": "parseImpl"
        },
        "id": "CVE-2023-28867-2d314090",
        "signature_version": "v1",
        "deprecated": false,
        "signature_type": "Function",
        "source": "https://github.com/graphql-java/graphql-java/commit/1f905d8f5a3343da9abe4522fd145de0c319cd4e"
    },
    {
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "167592099264655646664183634937652707679",
                "48061118344386761209421655410361794672",
                "136340033395875762338924714647055543928",
                "98729389709859335548875557707103429431",
                "91416326370818657533111573209263230953",
                "297478578909588886534657724535513718703",
                "13089976929769259490571353488007124246",
                "338427654662022341104417488557457876229",
                "269829574569171290615725279612755665848",
                "4056684683601998069062623756632051213",
                "314612923591991339758976833729365219498",
                "46960125349505788978839297817688662899",
                "72040259244625831823294009055510317505",
                "53862352362822073719081494250115834685",
                "106910668067388805476875303440157788070",
                "276306368489874932668423924759007009769",
                "240520834190533780302424932515378087815",
                "245441175229153445975501379054587156805",
                "54803363921063138440234615057181676309",
                "52354395305982144028806432924491865959",
                "200789073349343591308856415434153339540",
                "4398447980494056475909569226891135570",
                "217492365856953206148280999617600107806",
                "295413907910637757244026578302808421445",
                "99347107812727345644276340698356893253",
                "243639786114660059227904537263337804371",
                "184082509827344320816882284096978071451",
                "301145714464474871332206555035731958165",
                "8097071380394560178713026838585149735",
                "132747338018992063484214645278964739591",
                "111389838724433899831384020036264643244",
                "61616143660020220903382064222456939397",
                "251416392363188586572221146763484883503",
                "68216252802730252774750438877243389761",
                "37953200468002735639786874651527888578",
                "48641215820760846429003416729981659780",
                "209729894160092830063855389200447221609",
                "60267308480124250787641142868099678146",
                "207467004336133005305202410574630972797",
                "194478939411198217990743902055704865779",
                "91331019333138453130832968113321001402",
                "152017923807475988241759782297419553919",
                "335670201368948803720098520808311088959"
            ]
        },
        "target": {
            "file": "src/main/java/graphql/parser/ParserOptions.java"
        },
        "id": "CVE-2023-28867-2e215ef5",
        "signature_version": "v1",
        "deprecated": false,
        "signature_type": "Line",
        "source": "https://github.com/graphql-java/graphql-java/commit/3e2ccea4c1a41b81ea7c9fd31d7d2dab7e06f8f3"
    },
    {
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "39810464262704892563754871815532813521",
                "165316501559607190669458288237610334983",
                "35627563051055791000991564642591742903",
                "85864436817746415041247927113798442401",
                "195441864188803098178798547537929523495",
                "314200291007238960926406327039413550096",
                "2127094700740136968549541663906775223",
                "28942720981026645879105330121937594024",
                "272522729430044705388557687013535291055",
                "172789081020780669056385575504369089135",
                "161592308228573192425130653597497272963",
                "257847696003878904167856234595939976703",
                "141910194616282832636274588007449179038",
                "162422351709377277282648183380178364570",
                "21155586188270923203314999408382070740",
                "309845019958237845687328390800258670777",
                "246411222746214166054943456370084211513",
                "139401985562583892647158600779005865766",
                "98613602508669690155841914830461295674",
                "173929424783329993414352835442163758801",
                "116288404727165704069435834778300964690",
                "181592668769941648756421579526410470597",
                "129219553652390940259631823603094050067",
                "17134766956120441703558036634847004569",
                "39180133892455427899885815116562769428",
                "175491334008586020041722886027116860139",
                "178141823269753667453735617479298620831"
            ]
        },
        "target": {
            "file": "src/main/java/graphql/parser/Parser.java"
        },
        "id": "CVE-2023-28867-636d5477",
        "signature_version": "v1",
        "deprecated": false,
        "signature_type": "Line",
        "source": "https://github.com/graphql-java/graphql-java/commit/3e2ccea4c1a41b81ea7c9fd31d7d2dab7e06f8f3"
    },
    {
        "digest": {
            "length": 2029.0,
            "function_hash": "131367469637499662514152788039785718873"
        },
        "target": {
            "file": "src/main/java/graphql/parser/Parser.java",
            "function": "parseImpl"
        },
        "id": "CVE-2023-28867-6751c519",
        "signature_version": "v1",
        "deprecated": false,
        "signature_type": "Function",
        "source": "https://github.com/graphql-java/graphql-java/commit/3e2ccea4c1a41b81ea7c9fd31d7d2dab7e06f8f3"
    },
    {
        "digest": {
            "length": 2029.0,
            "function_hash": "131367469637499662514152788039785718873"
        },
        "target": {
            "file": "src/main/java/graphql/parser/Parser.java",
            "function": "parseImpl"
        },
        "id": "CVE-2023-28867-7a240710",
        "signature_version": "v1",
        "deprecated": false,
        "signature_type": "Function",
        "source": "https://github.com/graphql-java/graphql-java/commit/354bcc355549ef12661d6064ea51a6d4bf20a66c"
    },
    {
        "digest": {
            "length": 307.0,
            "function_hash": "107096461883321427489822662467714116337"
        },
        "target": {
            "file": "src/main/java/graphql/parser/ParserOptions.java",
            "function": "Builder"
        },
        "id": "CVE-2023-28867-84706de9",
        "signature_version": "v1",
        "deprecated": false,
        "signature_type": "Function",
        "source": "https://github.com/graphql-java/graphql-java/commit/354bcc355549ef12661d6064ea51a6d4bf20a66c"
    },
    {
        "digest": {
            "length": 622.0,
            "function_hash": "261722846679163255346022045269518140061"
        },
        "target": {
            "file": "src/main/java/graphql/parser/Parser.java",
            "function": "throwCancelParseIfTooManyTokens"
        },
        "id": "CVE-2023-28867-931b3bbd",
        "signature_version": "v1",
        "deprecated": false,
        "signature_type": "Function",
        "source": "https://github.com/graphql-java/graphql-java/commit/3e2ccea4c1a41b81ea7c9fd31d7d2dab7e06f8f3"
    },
    {
        "digest": {
            "length": 622.0,
            "function_hash": "261722846679163255346022045269518140061"
        },
        "target": {
            "file": "src/main/java/graphql/parser/Parser.java",
            "function": "throwCancelParseIfTooManyTokens"
        },
        "id": "CVE-2023-28867-99162a76",
        "signature_version": "v1",
        "deprecated": false,
        "signature_type": "Function",
        "source": "https://github.com/graphql-java/graphql-java/commit/1f905d8f5a3343da9abe4522fd145de0c319cd4e"
    },
    {
        "digest": {
            "length": 160.0,
            "function_hash": "98977058209400896274451248014768637340"
        },
        "target": {
            "file": "src/main/java/graphql/parser/Parser.java",
            "function": "visitTerminal"
        },
        "id": "CVE-2023-28867-9f342fad",
        "signature_version": "v1",
        "deprecated": false,
        "signature_type": "Function",
        "source": "https://github.com/graphql-java/graphql-java/commit/354bcc355549ef12661d6064ea51a6d4bf20a66c"
    },
    {
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "167592099264655646664183634937652707679",
                "48061118344386761209421655410361794672",
                "136340033395875762338924714647055543928",
                "98729389709859335548875557707103429431",
                "91416326370818657533111573209263230953",
                "297478578909588886534657724535513718703",
                "13089976929769259490571353488007124246",
                "338427654662022341104417488557457876229",
                "269829574569171290615725279612755665848",
                "4056684683601998069062623756632051213",
                "314612923591991339758976833729365219498",
                "46960125349505788978839297817688662899",
                "72040259244625831823294009055510317505",
                "53862352362822073719081494250115834685",
                "106910668067388805476875303440157788070",
                "276306368489874932668423924759007009769",
                "240520834190533780302424932515378087815",
                "245441175229153445975501379054587156805",
                "54803363921063138440234615057181676309",
                "52354395305982144028806432924491865959",
                "102946193542560119040145842864590979970",
                "81585618443658454952416335334008094176",
                "220566234918611789025807121263669223294",
                "295413907910637757244026578302808421445",
                "190457606341830965153789775001315195676",
                "228605203546321115621511159325076890431",
                "159542464739293998820090389534722265909",
                "139773028368889587784590594558186088375",
                "59075709276663536790541152776342721535",
                "70151371328435594289928652107717301375",
                "56761871629815201096650662931670150612",
                "75681159018350375153611959441500337195",
                "235641403697900720502578085434185703743",
                "48641215820760846429003416729981659780",
                "209729894160092830063855389200447221609",
                "311015808044674598272751413641469290572",
                "9031673614721156524331266755228237343",
                "159770413061440102796656992905069860065",
                "23686616431714611868553961585639452181",
                "19360163883863100654519157062032647181",
                "276726009393873248976542950838164435372"
            ]
        },
        "target": {
            "file": "src/main/java/graphql/parser/ParserOptions.java"
        },
        "id": "CVE-2023-28867-a82fa07d",
        "signature_version": "v1",
        "deprecated": false,
        "signature_type": "Line",
        "source": "https://github.com/graphql-java/graphql-java/commit/354bcc355549ef12661d6064ea51a6d4bf20a66c"
    },
    {
        "digest": {
            "length": 622.0,
            "function_hash": "261722846679163255346022045269518140061"
        },
        "target": {
            "file": "src/main/java/graphql/parser/Parser.java",
            "function": "throwCancelParseIfTooManyTokens"
        },
        "id": "CVE-2023-28867-a9e6c66d",
        "signature_version": "v1",
        "deprecated": false,
        "signature_type": "Function",
        "source": "https://github.com/graphql-java/graphql-java/commit/354bcc355549ef12661d6064ea51a6d4bf20a66c"
    },
    {
        "digest": {
            "length": 358.0,
            "function_hash": "100845729788637426848026172177383082905"
        },
        "target": {
            "file": "src/main/java/graphql/parser/ParserOptions.java",
            "function": "Builder"
        },
        "id": "CVE-2023-28867-ad70dde2",
        "signature_version": "v1",
        "deprecated": false,
        "signature_type": "Function",
        "source": "https://github.com/graphql-java/graphql-java/commit/3e2ccea4c1a41b81ea7c9fd31d7d2dab7e06f8f3"
    },
    {
        "digest": {
            "length": 358.0,
            "function_hash": "100845729788637426848026172177383082905"
        },
        "target": {
            "file": "src/main/java/graphql/parser/ParserOptions.java",
            "function": "Builder"
        },
        "id": "CVE-2023-28867-aecd18e6",
        "signature_version": "v1",
        "deprecated": false,
        "signature_type": "Function",
        "source": "https://github.com/graphql-java/graphql-java/commit/1f905d8f5a3343da9abe4522fd145de0c319cd4e"
    },
    {
        "digest": {
            "length": 791.0,
            "function_hash": "283419530021468244310602323395699962217"
        },
        "target": {
            "file": "src/main/java/graphql/parser/Parser.java",
            "function": "setupParserListener"
        },
        "id": "CVE-2023-28867-afbc220a",
        "signature_version": "v1",
        "deprecated": false,
        "signature_type": "Function",
        "source": "https://github.com/graphql-java/graphql-java/commit/1f905d8f5a3343da9abe4522fd145de0c319cd4e"
    },
    {
        "digest": {
            "length": 522.0,
            "function_hash": "192187236361422592697581414175043895792"
        },
        "target": {
            "file": "src/main/java/graphql/parser/Parser.java",
            "function": "visitTerminal"
        },
        "id": "CVE-2023-28867-bc4f4135",
        "signature_version": "v1",
        "deprecated": false,
        "signature_type": "Function",
        "source": "https://github.com/graphql-java/graphql-java/commit/1f905d8f5a3343da9abe4522fd145de0c319cd4e"
    },
    {
        "digest": {
            "length": 358.0,
            "function_hash": "100845729788637426848026172177383082905"
        },
        "target": {
            "file": "src/main/java/graphql/parser/ParserOptions.java",
            "function": "ParserOptions"
        },
        "id": "CVE-2023-28867-bf473cba",
        "signature_version": "v1",
        "deprecated": false,
        "signature_type": "Function",
        "source": "https://github.com/graphql-java/graphql-java/commit/3e2ccea4c1a41b81ea7c9fd31d7d2dab7e06f8f3"
    },
    {
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "39810464262704892563754871815532813521",
                "165316501559607190669458288237610334983",
                "35627563051055791000991564642591742903",
                "85864436817746415041247927113798442401",
                "322491364238379011668677832620288792409",
                "286606710324992052697418163595418380338",
                "234363346061103890360923069537510902923",
                "149538038130569568411482220888772796758",
                "272522729430044705388557687013535291055",
                "183334901620001236037653991993493545455",
                "211380834177819331184568884267377441686",
                "223876146626007495419016266676682051009",
                "63408308177239304964395097383326721615",
                "257847696003878904167856234595939976703",
                "141910194616282832636274588007449179038",
                "162422351709377277282648183380178364570",
                "21155586188270923203314999408382070740",
                "309845019958237845687328390800258670777",
                "246411222746214166054943456370084211513",
                "139401985562583892647158600779005865766",
                "98613602508669690155841914830461295674",
                "173929424783329993414352835442163758801",
                "116288404727165704069435834778300964690",
                "181592668769941648756421579526410470597",
                "129219553652390940259631823603094050067",
                "17134766956120441703558036634847004569",
                "39180133892455427899885815116562769428",
                "175491334008586020041722886027116860139",
                "178141823269753667453735617479298620831"
            ]
        },
        "target": {
            "file": "src/main/java/graphql/parser/Parser.java"
        },
        "id": "CVE-2023-28867-c1c02d99",
        "signature_version": "v1",
        "deprecated": false,
        "signature_type": "Line",
        "source": "https://github.com/graphql-java/graphql-java/commit/354bcc355549ef12661d6064ea51a6d4bf20a66c"
    },
    {
        "digest": {
            "length": 791.0,
            "function_hash": "283419530021468244310602323395699962217"
        },
        "target": {
            "file": "src/main/java/graphql/parser/Parser.java",
            "function": "setupParserListener"
        },
        "id": "CVE-2023-28867-e442f89c",
        "signature_version": "v1",
        "deprecated": false,
        "signature_type": "Function",
        "source": "https://github.com/graphql-java/graphql-java/commit/3e2ccea4c1a41b81ea7c9fd31d7d2dab7e06f8f3"
    },
    {
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "167592099264655646664183634937652707679",
                "48061118344386761209421655410361794672",
                "136340033395875762338924714647055543928",
                "98729389709859335548875557707103429431",
                "91416326370818657533111573209263230953",
                "297478578909588886534657724535513718703",
                "13089976929769259490571353488007124246",
                "338427654662022341104417488557457876229",
                "269829574569171290615725279612755665848",
                "4056684683601998069062623756632051213",
                "314612923591991339758976833729365219498",
                "46960125349505788978839297817688662899",
                "72040259244625831823294009055510317505",
                "53862352362822073719081494250115834685",
                "106910668067388805476875303440157788070",
                "276306368489874932668423924759007009769",
                "240520834190533780302424932515378087815",
                "245441175229153445975501379054587156805",
                "54803363921063138440234615057181676309",
                "52354395305982144028806432924491865959",
                "200789073349343591308856415434153339540",
                "4398447980494056475909569226891135570",
                "217492365856953206148280999617600107806",
                "295413907910637757244026578302808421445",
                "99347107812727345644276340698356893253",
                "243639786114660059227904537263337804371",
                "184082509827344320816882284096978071451",
                "301145714464474871332206555035731958165",
                "8097071380394560178713026838585149735",
                "132747338018992063484214645278964739591",
                "111389838724433899831384020036264643244",
                "61616143660020220903382064222456939397",
                "251416392363188586572221146763484883503",
                "68216252802730252774750438877243389761",
                "37953200468002735639786874651527888578",
                "48641215820760846429003416729981659780",
                "209729894160092830063855389200447221609",
                "60267308480124250787641142868099678146",
                "207467004336133005305202410574630972797",
                "194478939411198217990743902055704865779",
                "91331019333138453130832968113321001402",
                "152017923807475988241759782297419553919",
                "335670201368948803720098520808311088959"
            ]
        },
        "target": {
            "file": "src/main/java/graphql/parser/ParserOptions.java"
        },
        "id": "CVE-2023-28867-f088709c",
        "signature_version": "v1",
        "deprecated": false,
        "signature_type": "Line",
        "source": "https://github.com/graphql-java/graphql-java/commit/1f905d8f5a3343da9abe4522fd145de0c319cd4e"
    },
    {
        "digest": {
            "length": 522.0,
            "function_hash": "192187236361422592697581414175043895792"
        },
        "target": {
            "file": "src/main/java/graphql/parser/Parser.java",
            "function": "visitTerminal"
        },
        "id": "CVE-2023-28867-f3169add",
        "signature_version": "v1",
        "deprecated": false,
        "signature_type": "Function",
        "source": "https://github.com/graphql-java/graphql-java/commit/3e2ccea4c1a41b81ea7c9fd31d7d2dab7e06f8f3"
    },
    {
        "digest": {
            "length": 385.0,
            "function_hash": "58632047594417232813919698799212504335"
        },
        "target": {
            "file": "src/main/java/graphql/parser/Parser.java",
            "function": "setupParserListener"
        },
        "id": "CVE-2023-28867-f779ed6b",
        "signature_version": "v1",
        "deprecated": false,
        "signature_type": "Function",
        "source": "https://github.com/graphql-java/graphql-java/commit/354bcc355549ef12661d6064ea51a6d4bf20a66c"
    }
]
vanir_signatures_modified
"2026-04-12T01:01:19Z"
source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-28867.json"