Bug 2319378 (CVE-2024-50312) - CVE-2024-50312 GraphQL: Information Disclosure via GraphQL Introspection in OpenShift 关键信息: 漏洞编号:CVE-2024-50312 报告日期:2024-10-17 14:28 UTC 报告者:OSIDB Bzimport 修复日期:2024-10-22 12:42 UTC 产品:Security Response 组件:vulnerability 版本:unspecified 操作系统:Linux 优先级:medium 严重性:medium 描述: - 在GraphQL中,观察到在与GraphQL API交互时存在信息泄露漏洞。 - 用户或未经授权的攻击者可以查看关于所有可用查询和操作的信息。 - 这种信息可以为攻击者提供识别漏洞和处理错误的机会。 其他信息: 关键词:Security 状态:NEW 目标里程碑:--- 分配给:Product Security DevOps Team 文档类型:If docs needed, set a value 文档文本:A vulnerability was found in GraphQL due to improper access controls on the GraphQL introspection query. This flaw allows unauthorized users to retrieve a comprehensive list of available queries and mutations. Exposure to this flaw increases the attack surface, as it can facilitate the discovery of flaws or errors specific to the application's GraphQL implementation. 附件: 附件描述: - In GraphQL, information leak vulnerability has been observed while interacting with GraphQL API. - Users or unauthorized actors can view information about all available queries and mutations in server's response. This type of information can provide an attacker with numerous opportunities to identify vulnerabilities and processing errors 注意: 需要登录才能评论或更改此漏洞。