CVE-2021-43801

EPSS 0.37%
Veröffentlicht 13.12.2021 20:15:07
Zuletzt bearbeitet 21.11.2024 06:29:49
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Mercurius is a GraphQL adapter for Fastify. Any users from Mercurius@8.10.0 to 8.11.1 are subjected to a denial of service attack by sending a malformed JSON to `/graphql` unless they are using a custom error handler. The vulnerability has been fixed in https://github.com/mercurius-js/mercurius/pull/678 and shipped as v8.11.2. As a workaround users may use a custom error handler.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 6

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Mercurius Project ≫ Mercurius SwPlatformnode.js Version >= 8.10.0 < 8.11.2

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.37%	0.579

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	5	10	2.9	AV:N/AC:L/Au:N/C:N/I:N/A:P
security-advisories@github.com	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-754 Improper Check for Unusual or Exceptional Conditions

The product does not check or incorrectly checks for unusual or exceptional conditions that are not expected to occur frequently during day to day operation of the product.

https://github.com/mercurius-js/mercurius/issues/677

Patch

Third Party Advisory

Issue Tracking

https://github.com/mercurius-js/mercurius/pull/678/commits/732b2f895312da8deadd7b173dcd2d141d54b223

Patch

Third Party Advisory

https://github.com/mercurius-js/mercurius/security/advisories/GHSA-273r-rm8g-7f3x

Patch

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2021-43801

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2021-43801

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2021-43801

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2021-43801