Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade com.graphql-java:graphql-java to resolve security vulnerabilities #1045

Closed
upendra-vedullapalli opened this issue Mar 16, 2023 · 3 comments
Closed

Upgrade com.graphql-java:graphql-java to resolve security vulnerabilities #1045

upendra-vedullapalli opened this issue Mar 16, 2023 · 3 comments
Assignees
@upendra-vedullapalli
Labels
bug Something isn't working
Milestone
5.7.0

Comments

@upendra-vedullapalli
Copy link
Contributor

Issue Description

This repo is vulnerable to DoS attack(CVE-2022-37734) from com.graphql-java:graphql-java:16.2

Steps to Reproduce

Run a check on dependencies list using a plugin like OWASP to list all security vulnerabilities

Expected Result

Dependency check report for vulnerabilities would list CVE-2022-37734

Actual Result

Dependency on com.graphql-java:graphql-java from version before 19.0 makes this repository vulnerable to DoS attack on parsing larger schemas

Your Environment and Setup

  • graphql-java-codegen version: 5.6.0
  • Build tool: Gradle
  • Mapping Config: Default configuration
@upendra-vedullapalli upendra-vedullapalli added the bug Something isn't working label Mar 16, 2023
@upendrao upendrao mentioned this issue Mar 16, 2023
Merged
7 tasks
kobylynskyi added a commit that referenced this issue Mar 16, 2023
@upendrao @upendra-vedullapalli @kobylynskyi
Mitigate CVE-2022-37734 by updating graphql and jackson dependencies #…
3314b53 
…1045 (#1046)

Co-authored-by: Upendra Vedullapalli <upendra.rao.vedullapalli@entur.org>
Co-authored-by: Bogdan Kobylynskyi <92bogdan@gmail.com>
@kobylynskyi kobylynskyi added this to the 5.7.0 milestone Mar 16, 2023
@kobylynskyi
Copy link
Owner

Thanks @upendrao for working on this. Your fix will be released in 5.7.0 very soon.

@upendra-vedullapalli
Copy link
Contributor Author

@kobylynskyi
May I know when can we expect 5.7.0 released?

@kobylynskyi
Copy link
Owner

I am waiting just for one PR to be merged for 5.7.0 and we should be good to go. Thanks.

This was referenced Mar 19, 2023
Merged
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@upendra-vedullapalli upendra-vedullapalli

Labels
bug Something isn't working
Projects
None yet
Milestone
5.7.0
Development

No branches or pull requests
2 participants
@kobylynskyi @upendra-vedullapalli