search

jgeraigery / synapse

Synapse is a set of lightweight foundational framework modules for rapid development, built-in with enterprise-grade maturity and quality.
Apache License 2.0
0 stars 0 forks source link

graphql-spring-boot-starter-11.1.0.jar: 1 vulnerabilities (highest severity is: 7.5) reachable - autoclosed #46

Closed mend-for-github-com[bot] closed 8 months ago

mend-for-github-com[bot] commented 8 months ago
Vulnerable Library - graphql-spring-boot-starter-11.1.0.jar

Path to dependency file: /service/service-samples/sample-service-graphql-book/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/graphql-java/graphql-java/16.2/graphql-java-16.2.jar

Found in HEAD commit: ac25342ed87808bc68336b53ce636a671aca91da

Oops, something went wrong. We couldn’t find a fix. Support token-7dd82af1eb5c4348a7ff49fa1b1c9635

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (graphql-spring-boot-starter version) Fix PR available Reachability
CVE-2022-37734 High 7.5 graphql-java-16.2.jar Transitive N/A*

Reachable

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2022-37734 (Reachable) ### Vulnerable Library - graphql-java-16.2.jar

GraphqL Java

Library home page: https://github.com/graphql-java/graphql-java

Path to dependency file: /client/synapse-client-graphql/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/graphql-java/graphql-java/16.2/graphql-java-16.2.jar

Dependency Hierarchy: - graphql-spring-boot-starter-11.1.0.jar (Root Library) - graphql-spring-boot-autoconfigure-11.1.0.jar - graphql-kickstart-spring-boot-starter-tools-11.1.0.jar - graphql-kickstart-spring-boot-autoconfigure-tools-11.1.0.jar - graphql-java-tools-11.0.1.jar - :x: **graphql-java-16.2.jar** (Vulnerable Library)

Found in HEAD commit: ac25342ed87808bc68336b53ce636a671aca91da

Found in base branch: develop

### Reachability Analysis This vulnerability is potentially reachable ``` io.americanexpress.synapse.service.graphql.config.GraphQLServiceConfig (Application) -> graphql.schema.GraphQLScalarType (Extension) -> graphql.schema.GraphQLScalarType$Builder (Extension) -> graphql.schema.GraphQLDirective$Builder (Extension) -> graphql.introspection.Introspection (Extension) -> ❌ graphql.schema.GraphQLUnionType (Vulnerable Component) ```

### Vulnerability Details

graphql-java before19.0 is vulnerable to Denial of Service. An attacker can send a malicious GraphQL query that consumes CPU resources. The fixed versions are 19.0 and later, 18.3, and 17.4, and 0.0.0-2022-07-26T05-45-04-226aabd9.

Publish Date: 2022-09-12

URL: CVE-2022-37734

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Release Date: 2022-09-12

Fix Resolution: com.graphql-java:graphql-java:17.4,18.3,19.0

mend-for-github-com[bot] commented 8 months ago

:information_source: This issue was automatically closed by Mend because it is a duplicate of an existing issue: #47

mend-for-github-com[bot] commented 8 months ago

:information_source: This issue was automatically closed by Mend because it is a duplicate of an existing issue: #47