Security Bug - CVE-2022-29353

[Teganh]

CVE raised against graphql-upload see the following link for more details:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29353

[jaydenseric]

Some time ago I had email conversations with the person that "discovered" that and they have already apologised for the false alarm; there is no vulnerability in graphql-upload. They mistook the naive implementation in this example GraphQL app and API for graphql-upload behavior. Even a basic understanding of the graphql-upload API or reading the demo API source code would have revealed the misunderstanding.

I was not aware a CVE was raised, but it's in error. I don't know what the process is for retracting it, but it seems intuitive that the responsibility lies on whoever mistakenly raised it.

It also doesn't seem ethically right that they raised the CVE 2 days after I asked them to explain what they though the vulnerability was, and they ghosted me. If they had of explained their thinking I could have easily explained why they are mistaken and avoid them freaking everyone out with a hoax CVE.

[Teganh]

Thanks for the update, I only raised this as it came up in our scans as a high vulnerability.

Hopefully it gets retracted soon :)

On Wed, 18 May 2022 at 4:35 PM, Jayden Seric @.***> wrote:

Closed #304 https://github.com/jaydenseric/graphql-upload/issues/304.

— Reply to this email directly, view it on GitHub https://github.com/jaydenseric/graphql-upload/issues/304#event-6629096362, or unsubscribe https://github.com/notifications/unsubscribe-auth/ALPVBRV6UAP2H27O6C4EXITVKRXRFANCNFSM5WHA3TUQ . You are receiving this because you authored the thread.Message ID: @.***>