CVE-2023-26144

Exploit

EPSS 2.53%
Veröffentlicht 20.09.2023 05:15:39
Zuletzt bearbeitet 21.11.2024 07:50:52
Quelle report@snyk.io
CVE-Watchlists
Login
Unerledigt
Login

Versions of the package graphql from 16.3.0 and before 16.8.1 are vulnerable to Denial of Service (DoS) due to insufficient checks in the OverlappingFieldsCanBeMergedRule.ts file when parsing large queries. This vulnerability allows an attacker to degrade system performance.

**Note:** It was not proven that this vulnerability can crash the process.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 8

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Graphql ≫ Graphql SwPlatformnode.js Version >= 16.3.0 < 16.8.1

Graphql ≫ Graphql Version17.0.0 Updatealpha1 SwPlatformnode.js

Graphql ≫ Graphql Version17.0.0 Updatealpha2 SwPlatformnode.js

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	2.53%	0.852

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	5.3	3.9	1.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
report@snyk.io	5.3	3.9	1.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CWE-400 Uncontrolled Resource Consumption

The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

https://github.com/graphql/graphql-js/commit/f94b511386c7e47bd0380dcd56553dc063320226

Patch

https://github.com/graphql/graphql-js/issues/3955

Third Party Advisory

Exploit

Issue Tracking

https://github.com/graphql/graphql-js/pull/3972

Product

https://github.com/graphql/graphql-js/releases/tag/v16.8.1

Release Notes

https://security.snyk.io/vuln/SNYK-JS-GRAPHQL-5905181

Patch