GHSA-g56x-7j6w-g8r8
Suggest an improvement- Source
- https://github.com/advisories/GHSA-g56x-7j6w-g8r8
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/12/GHSA-g56x-7j6w-g8r8/GHSA-g56x-7j6w-g8r8.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-g56x-7j6w-g8r8
- Aliases
- Published
- 2023-12-18T23:26:52Z
- Modified
- 2024-02-16T08:17:44.599957Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- Grackle has StackOverflowError in GraphQL query processing
- Details
-
Impact
Prior to this fix, the GraphQL query parsing was vulnerable to
StackOverflowErrors. The possibility of small queries resulting in stack overflow is a potential denial of service vulnerability.This potentially affects all applications using Grackle which have untrusted users.
[!CAUTION]
No specific knowledge of an application's GraphQL schema would be required to construct a pathological query.Patches
The stack overflow issues have been resolved in the v0.18.0 release of Grackle.
Workarounds
Users could interpose a sanitizing layer in between untrusted input and Grackle query processing.
- Database specific
{ "nvd_published_at": "2023-12-22T21:15:07Z", "cwe_ids": [ "CWE-400" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2023-12-18T23:26:52Z" }- References
-
- https://github.com/typelevel/grackle/security/advisories/GHSA-g56x-7j6w-g8r8
- https://nvd.nist.gov/vuln/detail/CVE-2023-50730
- https://github.com/typelevel/grackle/commit/56e244b91659cf385df590fc6c46695b6f36cbfd
- https://github.com/typelevel/grackle
- https://github.com/typelevel/grackle/releases/tag/v0.18.0
Affected packages
Maven / org.typelevel:grackle-core_2.13
Package
- Name
- org.typelevel:grackle-core_2.13
- View open source insights on deps.dev
- Purl
- pkg:maven/org.typelevel/grackle-core_2.13
Maven / org.typelevel:grackle-core_3
Package
- Name
- org.typelevel:grackle-core_3
- View open source insights on deps.dev
- Purl
- pkg:maven/org.typelevel/grackle-core_3
Maven / org.typelevel:grackle-core_sjs1_2.13
Package
- Name
- org.typelevel:grackle-core_sjs1_2.13
- View open source insights on deps.dev
- Purl
- pkg:maven/org.typelevel/grackle-core_sjs1_2.13
Maven / org.typelevel:grackle-core_sjs1_3
Package
- Name
- org.typelevel:grackle-core_sjs1_3
- View open source insights on deps.dev
- Purl
- pkg:maven/org.typelevel/grackle-core_sjs1_3
Maven / org.typelevel:grackle-core_native0.4_2.13
Package
- Name
- org.typelevel:grackle-core_native0.4_2.13
- View open source insights on deps.dev
- Purl
- pkg:maven/org.typelevel/grackle-core_native0.4_2.13
Maven / org.typelevel:grackle-core_native0.4_3
Package
- Name
- org.typelevel:grackle-core_native0.4_3
- View open source insights on deps.dev
- Purl
- pkg:maven/org.typelevel/grackle-core_native0.4_3
Maven / edu.gemini:gsp-graphql-core_2.13
Package
- Name
- edu.gemini:gsp-graphql-core_2.13
- View open source insights on deps.dev
- Purl
- pkg:maven/edu.gemini/gsp-graphql-core_2.13
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedLast affected0.14.0
Affected versions
0.*
0.0.1
0.0.2
0.0.3
0.0.4
0.0.5
0.0.6
0.0.7
0.0.8
0.0.9
0.0.10
0.0.11
0.0.12
0.0.13
0.0.14
0.0.15
0.0.16
0.0.17
0.0.18
0.0.19
0.0.21
0.0.22
0.0.23
0.0.24
0.0.25
0.0.26
0.0.27
0.0.28
0.0.29
0.0.30
0.0.31
0.0.32
0.0.33
0.0.34
0.0.35
0.0.36
0.0.37
0.0.38
0.0.39
0.0.40
0.0.41
0.0.42
0.0.43
0.0.44
0.0.45
0.0.47
0.0.48
0.0.49
0.0.50
0.1.0
0.1.1
0.1.2
0.1.3
0.1.4
0.1.5
0.1.6
0.1.7
0.1.8
0.1.9
0.1.10
0.1.11
0.1.12
0.1.13
0.1.14
0.1.15
0.1.16
0.2.0
0.2.1
0.3.0
0.3.1
0.3.2
0.4.0
0.5.0
0.5.1
0.5.2
0.6.0
0.7.0
0.8.0
0.8.1
0.8.2
0.9.0
0.9.1
0.10.0
0.10.1
0.10.2
0.10.3
0.11.0
0.12.0
0.13.0
0.14.0
Maven / edu.gemini:gsp-graphql-core_3
Package
- Name
- edu.gemini:gsp-graphql-core_3
- View open source insights on deps.dev
- Purl
- pkg:maven/edu.gemini/gsp-graphql-core_3
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedLast affected0.14.0
Affected versions
0.*
0.0.47
0.0.48
0.0.49
0.0.50
0.1.0
0.1.1
0.1.2
0.1.3
0.1.4
0.1.5
0.1.6
0.1.7
0.1.8
0.1.9
0.1.10
0.1.11
0.1.12
0.1.13
0.1.14
0.1.15
0.1.16
0.2.0
0.2.1
0.3.0
0.3.1
0.3.2
0.4.0
0.5.0
0.5.1
0.5.2
0.6.0
0.7.0
0.8.0
0.8.1
0.8.2
0.9.0
0.9.1
0.10.0
0.10.1
0.10.2
0.10.3
0.11.0
0.12.0
0.13.0
0.14.0
Maven / edu.gemini:gsp-graphql-core_sjs1_2.13
Package
- Name
- edu.gemini:gsp-graphql-core_sjs1_2.13
- View open source insights on deps.dev
- Purl
- pkg:maven/edu.gemini/gsp-graphql-core_sjs1_2.13
Maven / edu.gemini:gsp-graphql-core_sjs1_3
Package
- Name
- edu.gemini:gsp-graphql-core_sjs1_3
- View open source insights on deps.dev
- Purl
- pkg:maven/edu.gemini/gsp-graphql-core_sjs1_3
Maven / edu.gemini:gsp-graphql-core_native0.4_2.13
Package
- Name
- edu.gemini:gsp-graphql-core_native0.4_2.13
- View open source insights on deps.dev
- Purl
- pkg:maven/edu.gemini/gsp-graphql-core_native0.4_2.13
Maven / edu.gemini:gsp-graphql-core_native0.4_3
Package
- Name
- edu.gemini:gsp-graphql-core_native0.4_3
- View open source insights on deps.dev
- Purl
- pkg:maven/edu.gemini/gsp-graphql-core_native0.4_3