data/reports/GO-2022-0300.yaml - vulndb - Git at Google

 modules:
   - module: github.com/graph-gophers/graphql-go
     versions:
       - fixed: 1.3.0
     vulnerable_at: 1.2.0
     packages:
       - package: github.com/graph-gophers/graphql-go
         symbols:
           - Schema.ValidateWithVariables
           - Schema.exec
           - Schema.subscribe
         derived_symbols:
           - Schema.Exec
           - Schema.Subscribe
           - Schema.ToJSON
           - Schema.Validate
 description: |
     Malicious inputs can cause a panic.

     A maliciously crafted input can cause a stack overflow and panic.
     Any user with access to the GraphQL can send such a query.

     This issue only occurs when using the graphql.MaxDepth schema option
     (which is highly recommended in most cases).
 published: 2022-07-15T23:10:20Z
 cves:
   - CVE-2022-21708
 ghsas:
   - GHSA-mh3m-8c74-74xh
 references:
   - fix: https://github.com/graph-gophers/graphql-go/commit/eae31ca73eb3473c544710955d1dbebc22605bfe
	modules:
	- module: github.com/graph-gophers/graphql-go
	versions:
	- fixed: 1.3.0
	vulnerable_at: 1.2.0
	packages:
	- package: github.com/graph-gophers/graphql-go
	symbols:
	- Schema.ValidateWithVariables
	- Schema.exec
	- Schema.subscribe
	derived_symbols:
	- Schema.Exec
	- Schema.Subscribe
	- Schema.ToJSON
	- Schema.Validate
	description: \|
	Malicious inputs can cause a panic.

	A maliciously crafted input can cause a stack overflow and panic.
	Any user with access to the GraphQL can send such a query.

	This issue only occurs when using the graphql.MaxDepth schema option
	(which is highly recommended in most cases).
	published: 2022-07-15T23:10:20Z
	cves:
	- CVE-2022-21708
	ghsas:
	- GHSA-mh3m-8c74-74xh
	references:
	- fix: https://github.com/graph-gophers/graphql-go/commit/eae31ca73eb3473c544710955d1dbebc22605bfe