GraphQL Introspection IntControl Bypass Exposes Schema
CVE-2024-50312 Published on October 22, 2024
Graphql: information disclosure via graphql introspection in openshift
A vulnerability was found in GraphQL due to improper access controls on the GraphQL introspection query. This flaw allows unauthorized users to retrieve a comprehensive list of available queries and mutations. Exposure to this flaw increases the attack surface, as it can facilitate the discovery of flaws or errors specific to the application's GraphQL implementation.
Vulnerability Analysis
CVE-2024-50312 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality, a small impact on integrity and availability.
Timeline
Reported to Red Hat.
Made public.
Weakness Type
What is an Information Disclosure Vulnerability?
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
CVE-2024-50312 has been classified to as an Information Disclosure vulnerability or weakness.
Products Associated with CVE-2024-50312
You can be notified by email with stack.watch whenever vulnerabilities like CVE-2024-50312 are published in these products:
Affected Versions
Red Hat OpenShift Container Platform 4.16:- Version v4.16.0-202501080105.p0.g6fe3e8b.assembly.stream.el9 and below * is unaffected.
- Version v4.17.0-202501080135.p0.gedbd12e.assembly.stream.el9 and below * is unaffected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.