Vulnerability

CVE-2024-40094

 Report advisory or correction

CVSS Score 8.7 high

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

CWE

CWE-770

References

https://github.com/advisories/GHSA-h9mq-f6q5-6c8m
https://github.com/graphql-java/graphql-java/discussions/3641
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-40094

[CVE-2024-40094] CWE-770: Allocation of Resources Without Limits or Throttling

Description

GraphQL Java (aka graphql-java) before 21.5 does not properly consider ExecutableNormalizedFields (ENFs) as part of preventing denial of service via introspection queries. 20.9 and 19.11 are also fixed versions.

Deviation Notice:
Sonatype's research suggests that this CVE's details differ from those defined at NVD or other reporting sources; sign in for details.

Sign up and see:

Detailed deviation notices:
  • Detailed deviations
  • References
  • Custom Descriptions [Coming Soon]
Sign Up
See com.graphql-java/graphql-java package information