CVE-2022-21708
Panic via malicious inputs in github.com/graph-gophers/graphql-go
描述
graphql-go is a GraphQL server with a focus on ease of use. In versions prior to 1.3.0 there exists a DoS vulnerability that is possible due to a bug in the library that would allow an attacker with specifically designed queries to cause stack overflow panics. Any user with access to the GraphQL handler can send these queries and cause stack overflows. This in turn could potentially compromise the ability of the server to serve data to its users. The issue has been patched in version `v1.3.0`. The only known workaround for this issue is to disable the `graphql.MaxDepth` option from your schema which is not recommended.
如何修補 CVE-2022-21708
要修補 CVE-2022-21708,請將受影響套件升級到下列已修補版本。
- —未列出修補版本
- —升級至 1.3.0 或更新版本
- —升級至 1.3.0 或更新版本
CVE-2022-21708 正在被利用嗎?
低 — EPSS 為 0.2%,目前沒有觀察到大規模利用活動。
受影響套件(3)
- from 0
- from 0, < 1.3.0
- from 0, < 1.3.0
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM6.5 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |