CVE-2024-50311: A denial of service (DoS) vulnerability was found in OpenShift (23rd Oct 2024)

Preface: Typical REST APIs exhibit a few issues that we can solve with GraphQL. One of the most prominent is over fetching, which occurs when a client fetches too much data from the server. When OpenShift Console is fetching a lot of data, it leverages chunked responses introduced in k8s 1.9. Fetching is split into separate HTTP requests, which improves the responsiveness of the UI with results shown incrementally.

Background: GraphQL is a web service technology. It is a query language and server-side runtime for application programming interfaces (APIs) that gives API clients exactly the data they requested. As an alternative to REST, GraphQL allows developers to make requests to fetch data from multiple data sources with a single API call.

GraphQL technology is becoming the new standard for communication between front-end and back-end. Get started using GraphQL in OpenShift Console 4.6.

Vulnerability details: A denial of service (DoS) vulnerability was found in OpenShift. This flaw allows attackers to exploit the GraphQL batching functionality. The vulnerability arises when multiple queries can be sent within a single request, enabling an attacker to submit a request containing thousands of aliases in one query. This issue causes excessive resource consumption, leading to application unavailability for legitimate users.

Official announcement: Please refer to the link for details – https://nvd.nist.gov/vuln/detail/CVE-2024-50311

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.