Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS1nNTZ4LTdqNnctZzhyOM4AA34j

Grackle has StackOverflowError in GraphQL query processing

Impact

Prior to this fix, the GraphQL query parsing was vulnerable to StackOverflowErrors. The possibility of small queries resulting in stack overflow is a potential denial of service vulnerability.

This potentially affects all applications using Grackle which have untrusted users.

[!CAUTION]
No specific knowledge of an application's GraphQL schema would be required to construct a pathological query.

Patches

The stack overflow issues have been resolved in the v0.18.0 release of Grackle.

Workarounds

Users could interpose a sanitizing layer in between untrusted input and Grackle query processing.

Permalink: https://github.com/advisories/GHSA-g56x-7j6w-g8r8
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1nNTZ4LTdqNnctZzhyOM4AA34j
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 12 months ago
Updated: 12 months ago


CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Identifiers: GHSA-g56x-7j6w-g8r8, CVE-2023-50730
References: Repository: https://github.com/typelevel/grackle
Blast Radius: 1.0

Affected Packages

maven:edu.gemini:gsp-graphql-core_native0.4_3
Affected Version Ranges: <= 0.14.0
No known fixed version
maven:edu.gemini:gsp-graphql-core_native0.4_2.13
Affected Version Ranges: <= 0.14.0
No known fixed version
maven:edu.gemini:gsp-graphql-core_sjs1_3
Affected Version Ranges: <= 0.14.0
No known fixed version
maven:edu.gemini:gsp-graphql-core_sjs1_2.13
Affected Version Ranges: <= 0.14.0
No known fixed version
maven:edu.gemini:gsp-graphql-core_3
Dependent packages: 6
Dependent repositories: 0
Downloads:
Affected Version Ranges: <= 0.14.0
No known fixed version
All affected versions: 0.0.47, 0.0.48, 0.0.49, 0.0.50, 0.1.0, 0.1.1, 0.1.2, 0.1.3, 0.1.4, 0.1.5, 0.1.6, 0.1.7, 0.1.8, 0.1.9, 0.1.10, 0.1.11, 0.1.12, 0.1.13, 0.1.14, 0.1.15, 0.1.16, 0.2.0, 0.2.1, 0.3.0, 0.3.1, 0.3.2, 0.4.0, 0.5.0, 0.5.1, 0.5.2, 0.6.0, 0.7.0, 0.8.0, 0.8.1, 0.8.2, 0.9.0, 0.9.1, 0.10.0, 0.10.1, 0.10.2, 0.10.3, 0.11.0, 0.12.0, 0.13.0, 0.14.0
maven:edu.gemini:gsp-graphql-core_2.13
Dependent packages: 9
Dependent repositories: 0
Downloads:
Affected Version Ranges: <= 0.14.0
No known fixed version
All affected versions: 0.0.1, 0.0.2, 0.0.3, 0.0.4, 0.0.5, 0.0.6, 0.0.7, 0.0.8, 0.0.9, 0.0.10, 0.0.11, 0.0.12, 0.0.13, 0.0.14, 0.0.15, 0.0.16, 0.0.17, 0.0.18, 0.0.19, 0.0.21, 0.0.22, 0.0.23, 0.0.24, 0.0.25, 0.0.26, 0.0.27, 0.0.28, 0.0.29, 0.0.30, 0.0.31, 0.0.32, 0.0.33, 0.0.34, 0.0.35, 0.0.36, 0.0.37, 0.0.38, 0.0.39, 0.0.40, 0.0.41, 0.0.42, 0.0.43, 0.0.44, 0.0.45, 0.0.47, 0.0.48, 0.0.49, 0.0.50, 0.1.0, 0.1.1, 0.1.2, 0.1.3, 0.1.4, 0.1.5, 0.1.6, 0.1.7, 0.1.8, 0.1.9, 0.1.10, 0.1.11, 0.1.12, 0.1.13, 0.1.14, 0.1.15, 0.1.16, 0.2.0, 0.2.1, 0.3.0, 0.3.1, 0.3.2, 0.4.0, 0.5.0, 0.5.1, 0.5.2, 0.6.0, 0.7.0, 0.8.0, 0.8.1, 0.8.2, 0.9.0, 0.9.1, 0.10.0, 0.10.1, 0.10.2, 0.10.3, 0.11.0, 0.12.0, 0.13.0, 0.14.0
maven:org.typelevel:grackle-core_native0.4_3
Affected Version Ranges: < 0.18.0
Fixed in: 0.18.0
maven:org.typelevel:grackle-core_native0.4_2.13
Affected Version Ranges: < 0.18.0
Fixed in: 0.18.0
maven:org.typelevel:grackle-core_sjs1_3
Affected Version Ranges: < 0.18.0
Fixed in: 0.18.0
maven:org.typelevel:grackle-core_sjs1_2.13
Affected Version Ranges: < 0.18.0
Fixed in: 0.18.0
maven:org.typelevel:grackle-core_3
Affected Version Ranges: < 0.18.0
Fixed in: 0.18.0
maven:org.typelevel:grackle-core_2.13
Affected Version Ranges: < 0.18.0
Fixed in: 0.18.0