Vulnerability Description
GraphQL Java (aka graphql-java) before 21.5 does not properly consider ExecutableNormalizedFields (ENFs) as part of preventing denial of service via introspection queries. 20.9 and 19.11 are also fixed versions.
CVSS Score
MEDIUM
References
- https://github.com/graphql-java/graphql-java/commit/97743bc1b5caa2b0bd894dc8e128
- https://github.com/graphql-java/graphql-java/discussions/3641
- https://github.com/graphql-java/graphql-java/pull/3539
- https://github.com/graphql-java/graphql-java/releases/tag/v19.11
- https://github.com/graphql-java/graphql-java/releases/tag/v20.9
- https://github.com/graphql-java/graphql-java/releases/tag/v21.5
- https://github.com/graphql-java/graphql-java/commit/97743bc1b5caa2b0bd894dc8e128
- https://github.com/graphql-java/graphql-java/discussions/3641
- https://github.com/graphql-java/graphql-java/pull/3539
- https://github.com/graphql-java/graphql-java/releases/tag/v19.11
- https://github.com/graphql-java/graphql-java/releases/tag/v20.9
- https://github.com/graphql-java/graphql-java/releases/tag/v21.5
FAQ
What is CVE-2024-40094?
CVE-2024-40094 is a vulnerability with a CVSS score of 5.3 (MEDIUM). GraphQL Java (aka graphql-java) before 21.5 does not properly consider ExecutableNormalizedFields (ENFs) as part of preventing denial of service via introspection queries. 20.9 and 19.11 are also fixe...
How severe is CVE-2024-40094?
CVE-2024-40094 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2024-40094?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.