CVE-2022-31173 - OpenCVE

Juniper is a GraphQL server library for Rust. Affected versions of Juniper are vulnerable to uncontrolled recursion resulting in a program crash. This issue has been addressed in version 0.15.10. Users are advised to upgrade. Users unable to upgrade should limit the recursion depth manually.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Juniper Project	Juniper

Configuration 1 [-]

cpe:2.3:a:juniper_project:juniper:*:*:*:*:*:rust:*:*

References

Link	Resource
https://github.com/graphql-rust/juniper/blob/juniper-v0.15.10/juniper/CHANGELOG.md#01510-2022-07-28	Release Notes Third Party Advisory
https://github.com/graphql-rust/juniper/commit/2b609ee057be950e3454b69fadc431d120e407bb	Patch Third Party Advisory
https://github.com/graphql-rust/juniper/commit/8d28cdba6eb10f53490ba41d1b5cb40506c2de22	Patch Third Party Advisory
https://github.com/graphql-rust/juniper/security/advisories/GHSA-4rx6-g5vg-5f3j	Exploit Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: GitHub_M

Published: 2022-08-01T18:50:12

Updated: 2022-08-01T18:50:12

Reserved: 2022-05-18T00:00:00

Link: CVE-2022-31173

JSON object: View

NVD Information

Status : Analyzed

Published: 2022-08-01T19:15:08.330

Modified: 2023-07-24T13:08:13.910

Link: CVE-2022-31173

JSON object: View

Redhat Information

No data.

CWE

{"containers": {"cna": {"affected": [{"product": "juniper", "vendor": "graphql-rust", "versions": [{"status": "affected", "version": "< 0.15.10"}]}], "descriptions": [{"lang": "en", "value": "Juniper is a GraphQL server library for Rust. Affected versions of Juniper are vulnerable to uncontrolled recursion resulting in a program crash. This issue has been addressed in version 0.15.10. Users are advised to upgrade. Users unable to upgrade should limit the recursion depth manually."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-400", "description": "CWE-400: Uncontrolled Resource Consumption", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-08-01T18:50:12", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/graphql-rust/juniper/security/advisories/GHSA-4rx6-g5vg-5f3j"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/graphql-rust/juniper/commit/2b609ee057be950e3454b69fadc431d120e407bb"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/graphql-rust/juniper/commit/8d28cdba6eb10f53490ba41d1b5cb40506c2de22"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/graphql-rust/juniper/blob/juniper-v0.15.10/juniper/CHANGELOG.md#01510-2022-07-28"}], "source": {"advisory": "GHSA-4rx6-g5vg-5f3j", "discovery": "UNKNOWN"}, "title": "Juniper is vulnerable to @DOS GraphQL Nested Fragments overflow", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2022-31173", "STATE": "PUBLIC", "TITLE": "Juniper is vulnerable to @DOS GraphQL Nested Fragments overflow"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "juniper", "version": {"version_data": [{"version_value": "< 0.15.10"}]}}]}, "vendor_name": "graphql-rust"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Juniper is a GraphQL server library for Rust. Affected versions of Juniper are vulnerable to uncontrolled recursion resulting in a program crash. This issue has been addressed in version 0.15.10. Users are advised to upgrade. Users unable to upgrade should limit the recursion depth manually."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-400: Uncontrolled Resource Consumption"}]}]}, "references": {"reference_data": [{"name": "https://github.com/graphql-rust/juniper/security/advisories/GHSA-4rx6-g5vg-5f3j", "refsource": "CONFIRM", "url": "https://github.com/graphql-rust/juniper/security/advisories/GHSA-4rx6-g5vg-5f3j"}, {"name": "https://github.com/graphql-rust/juniper/commit/2b609ee057be950e3454b69fadc431d120e407bb", "refsource": "MISC", "url": "https://github.com/graphql-rust/juniper/commit/2b609ee057be950e3454b69fadc431d120e407bb"}, {"name": "https://github.com/graphql-rust/juniper/commit/8d28cdba6eb10f53490ba41d1b5cb40506c2de22", "refsource": "MISC", "url": "https://github.com/graphql-rust/juniper/commit/8d28cdba6eb10f53490ba41d1b5cb40506c2de22"}, {"name": "https://github.com/graphql-rust/juniper/blob/juniper-v0.15.10/juniper/CHANGELOG.md#01510-2022-07-28", "refsource": "MISC", "url": "https://github.com/graphql-rust/juniper/blob/juniper-v0.15.10/juniper/CHANGELOG.md#01510-2022-07-28"}]}, "source": {"advisory": "GHSA-4rx6-g5vg-5f3j", "discovery": "UNKNOWN"}}}}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2022-31173", "datePublished": "2022-08-01T18:50:12", "dateReserved": "2022-05-18T00:00:00", "dateUpdated": "2022-08-01T18:50:12", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:juniper_project:juniper:*:*:*:*:*:rust:*:*", "matchCriteriaId": "FC49E6F1-2A38-4C24-B62A-71DAFA11519A", "versionEndExcluding": "0.15.10", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Juniper is a GraphQL server library for Rust. Affected versions of Juniper are vulnerable to uncontrolled recursion resulting in a program crash. This issue has been addressed in version 0.15.10. Users are advised to upgrade. Users unable to upgrade should limit the recursion depth manually."}, {"lang": "es", "value": "Juniper es una biblioteca de servidor GraphQL para Rust. Las versiones afectadas de Juniper son vulnerables a una recursividad no controlada resultando en un bloqueo del programa. Este problema ha sido abordado en versi\u00f3n 0.15.10. Es recomendado a usuarios actualizar. Los usuarios que no puedan actualizar deber\u00e1n limitar la profundidad de la recursi\u00f3n manualmente"}], "id": "CVE-2022-31173", "lastModified": "2023-07-24T13:08:13.910", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2022-08-01T19:15:08.330", "references": [{"source": "security-advisories@github.com", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://github.com/graphql-rust/juniper/blob/juniper-v0.15.10/juniper/CHANGELOG.md#01510-2022-07-28"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/graphql-rust/juniper/commit/2b609ee057be950e3454b69fadc431d120e407bb"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/graphql-rust/juniper/commit/8d28cdba6eb10f53490ba41d1b5cb40506c2de22"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/graphql-rust/juniper/security/advisories/GHSA-4rx6-g5vg-5f3j"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-674"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-400"}], "source": "security-advisories@github.com", "type": "Secondary"}]}