CVE-2024-50312: 
Red Hat Enterprise Linux CoreOS (RHCOS) vulnerability analysis and mitigation

A vulnerability (CVE-2024-50312) was discovered in GraphQL due to improper access controls on the GraphQL introspection query. The vulnerability was first reported on October 17, 2024, affecting Red Hat OpenShift Container Platform. This security flaw allows unauthorized users to retrieve a comprehensive list of available queries and mutations from the GraphQL API (NVD, Red Hat Advisory).

The vulnerability is classified with a CVSS v3.1 base score of 5.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N. The flaw is categorized under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). The vulnerability specifically relates to the GraphQL introspection functionality, which when exploited, allows unauthorized access to the API's schema information (NVD).

The exposure of this vulnerability increases the attack surface by allowing unauthorized users to obtain detailed information about the API structure. This information disclosure can facilitate the discovery of flaws or errors specific to the application's GraphQL implementation, potentially enabling attackers to identify and exploit other vulnerabilities (Bugzilla).

The vulnerability has been addressed in Red Hat OpenShift Container Platform versions 4.16.30 and 4.17.12 through security updates RHSA-2025:0140 and RHSA-2025:0115 respectively. The fix involves disabling GraphQL introspection functionality (GitHub PR, Red Hat Advisory).