CVE-2024-40094 – graphql-java: Allocation of Resources Without Limits or Throttling in GraphQL Java
https://notcve.org/view.php?id=CVE-2024-40094
GraphQL Java (aka graphql-java) before 21.5 does not properly consider ExecutableNormalizedFields (ENFs) as part of preventing denial of service via introspection queries. 20.9 and 19.11 are also fixed versions. ... This flaw allows an attacker to perform a denial of service (DoS) attack via introspection queries. • https://github.com/graphql-java/graphql-java/releases/tag/v21.5 https://github.com/graphql-java/graphql-java/releases/tag/v20.9 https://github.com/graphql-java/graphql-java/releases/tag/v19.11 https://github.com/graphql-java/graphql-java/commit/97743bc1b5caa2b0bd894dc8e128b47e4d771e4a https://github.com/graphql-java/graphql-java/discussions/3641 https://github.com/graphql-java/graphql-java/pull/3539 https://access.redhat.com/security/cve/CVE-2024-40094 https://bugzilla.redhat.com/show_bug • CWE-770: Allocation of Resources Without Limits or Throttling •
CVE-2024-41439
https://notcve.org/view.php?id=CVE-2024-41439
A heap buffer overflow in the function cp_block() (/vendor/cute_png.h) of hicolor v0.5.0 allows attackers to cause a Denial of Service (DoS) via a crafted PNG file. • https://github.com/Helson-S/FuzzyTesting/blob/master/hicolor/heapof-w98-cp_block-5c0-cute_png-642c5 https://github.com/Helson-S/FuzzyTesting/blob/master/hicolor/heapof-w98-cp_block-5c0-cute_png-642c5/vulDescription.md https://github.com/Helson-S/FuzzyTesting/blob/master/hicolor/heapof-w98-cp_block-5c0-cute_png-642c5/poc https://github.com/Helson-S/FuzzyTesting/blob/master/hicolor/heapof-w98-cp_block-5c0-cute_png-642c5/poc/sample13.png https://github.com/Helson-S/FuzzyTesting/blob/master • CWE-787: Out-of-bounds Write •
CVE-2024-39011
https://notcve.org/view.php?id=CVE-2024-39011
Prototype Pollution in chargeover redoc v2.0.9-rc.69 allows attackers to execute arbitrary code or cause a Denial of Service (DoS) and cause other impacts via the function mergeObjects. Prototype Pollution en chargeover redoc v2.0.9-rc.69 permite a los atacantes ejecutar código arbitrario o provocar una denegación de servicio (DoS) y provocar otros impactos a través de la función mergeObjects. • https://gist.github.com/mestrtee/693ef1c8b0a5ff1ae19f253381711f3e • CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') •
CVE-2024-41440
https://notcve.org/view.php?id=CVE-2024-41440
A heap buffer overflow in the function png_quantize() of hicolor v0.5.0 allows attackers to cause a Denial of Service (DoS) via a crafted PNG file. • https://github.com/Helson-S/FuzzyTesting/blob/master/hicolor/heapof-w1-png_quantize-cli-220c32 https://github.com/Helson-S/FuzzyTesting/blob/master/hicolor/heapof-w1-png_quantize-cli-220c32/vulDescription.md https://github.com/Helson-S/FuzzyTesting/blob/master/hicolor/heapof-w1-png_quantize-cli-220c32/poc https://github.com/Helson-S/FuzzyTesting/blob/master/hicolor/heapof-w1-png_quantize-cli-220c32/poc/sample18.png https://github.com/Helson-S/FuzzyTesting/blob/master/hicolor/heapof-w1-png_quantize • CWE-122: Heap-based Buffer Overflow •
CVE-2024-38986
https://notcve.org/view.php?id=CVE-2024-38986
Prototype Pollution in 75lb deep-merge 1.1.1 allows attackers to execute arbitrary code or cause a Denial of Service (DoS) and cause other impacts via merge methods of lodash to merge objects. Prototype Pollution en 75 lb deep-merge 1.1.1 permite a los atacantes ejecutar código arbitrario o provocar una denegación de servicio (DoS) y provocar otros impactos mediante métodos de fusión de lodash para fusionar objetos. • https://gist.github.com/mestrtee/b20c3aee8bea16e1863933778da6e4cb • CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') •