Summary There is a vulnerability in the GraphQL Java library used by IBM WebSphere Application Server Liberty with the mpGraphQL-1.0 or mpGraphQL-2.0 feature enabled. Vulnerability Details CVEID:CVE-2024-40094 DESCRIPTION: GraphQL Java (aka graphql-java) is vulnerable to a denial of service, caused by the failure to properly consider ExecutableNormalizedFields (ENFs) as part of preventing denial of service. By using introspection queries, a remote attacker could exploit this vulnerability to cause a denial of service. CWE:CWE-20: Improper Input Validation CVSS Source: IBM X-Force CVSS Base score: 5.3 CVSS Vector:(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) Affected Products and Versions Affected Product(s)| Version(s) —|— IBM WebSphere Application Server Liberty| 20.0.0.6 – 24.0.0.11 Remediation/Fixes IBM strongly recommends addressing the vulnerability now by applying a currently available interim fix or fix pack that contains the fix for APAR PH63673. To determine if a feature is enabled for IBM WebSphere Application Server Liberty, refer to How to determine if Liberty is using a specific feature. For IBM WebSphere Application Server Liberty 20.0.0.6 – 24.0.0.11 using the mpGraphQL-1.0 or mpGraphQL-2.0 feature(s): · Upgrade to minimal fix pack levels as required by the interim fix and then apply the Interim Fix that resolves PH63673 –OR– · Apply Liberty Fix Pack 24.0.0.12 or later (targeted availability 4Q2024). Additional interim fixes may be available…Read More