CVE-2024-50312

[lalit774]

A vulnerability was found in GraphQL due to improper access controls on the GraphQL introspection query. This flaw allows unauthorized users to retrieve a comprehensive list of available queries and mutations. Exposure to this flaw increases the attack surface, as it can facilitate the discovery of flaws or errors specific to the application's GraphQL implementation.

The GraphQL package contains an Information Disclosure vulnerability. The getIntrospectionQuery() function in the getIntrospectionQuery.ts file reveals excessive information about the existing queries and mutations to unauthorized users. A remote attacker can exploit this vulnerability by sending an introspection query to the GraphQL API, thus obtaining a list of available queries and mutations, which can be used to understand the structure of the application and perform further attacks.

graphql-15.9.0.tgzpackage/utilities/getIntrospectionQuery.js[15.0.0-alpha.1 , )

https://access.redhat.com/security/cve/CVE-2024-50312
https://bugzilla.redhat.com/show_bug.cgi?id=2319378

[laverdet]

This user is spamming GPT CVE's.

[saihaj]

I don't think there is anything related to us. This was something on Redhat side which they seemed to have fixed. openshift/console#14409