Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-g56x-7j6w-g8r8: Grackle has StackOverflowError in GraphQL query processing

Impact

Prior to this fix, the GraphQL query parsing was vulnerable to StackOverflowErrors. The possibility of small queries resulting in stack overflow is a potential denial of service vulnerability.

This potentially affects all applications using Grackle which have untrusted users.

[!CAUTION]
No specific knowledge of an application’s GraphQL schema would be required to construct a pathological query.

Patches

The stack overflow issues have been resolved in the v0.18.0 release of Grackle.

Workarounds

Users could interpose a sanitizing layer in between untrusted input and Grackle query processing.

ghsa
#vulnerability#dos#js#git#java#maven
  1. GitHub Advisory Database
  2. GitHub Reviewed
  3. CVE-2023-50730

Grackle has StackOverflowError in GraphQL query processing

High severity GitHub Reviewed Published Dec 18, 2023 in typelevel/grackle • Updated Dec 18, 2023

Package

maven edu.gemini:gsp-graphql-core_2.13 (Maven)

Affected versions

<= 0.14.0

maven edu.gemini:gsp-graphql-core_3 (Maven)

maven edu.gemini:gsp-graphql-core_native0.4_2.13 (Maven)

maven edu.gemini:gsp-graphql-core_native0.4_3 (Maven)

maven edu.gemini:gsp-graphql-core_sjs1_2.13 (Maven)

maven edu.gemini:gsp-graphql-core_sjs1_3 (Maven)

maven org.typelevel:grackle-core_2.13 (Maven)

maven org.typelevel:grackle-core_3 (Maven)

maven org.typelevel:grackle-core_native0.4_2.13 (Maven)

maven org.typelevel:grackle-core_native0.4_3 (Maven)

maven org.typelevel:grackle-core_sjs1_2.13 (Maven)

maven org.typelevel:grackle-core_sjs1_3 (Maven)

Impact

Prior to this fix, the GraphQL query parsing was vulnerable to StackOverflowErrors. The possibility of small queries resulting in stack overflow is a potential denial of service vulnerability.

This potentially affects all applications using Grackle which have untrusted users.

Caution

No specific knowledge of an application’s GraphQL schema would be required to construct a pathological query.

Patches

The stack overflow issues have been resolved in the v0.18.0 release of Grackle.

Workarounds

Users could interpose a sanitizing layer in between untrusted input and Grackle query processing.

References

  • GHSA-g56x-7j6w-g8r8
  • typelevel/grackle@56e244b
  • https://github.com/typelevel/grackle/releases/tag/v0.18.0

Published to the GitHub Advisory Database

Dec 18, 2023

Last updated

Dec 18, 2023

ghsa: Latest News

GHSA-hxf5-99xg-86hw: cap-std doesn't fully sandbox all the Windows device filenames