CVE Vulnerability

CVE-2022-36084

cruddl is software for creating a GraphQL API for a database, using the GraphQL SDL to model a schema. If cruddl starting with version 1.1.0 and prior to versions 2.7.0 and 3.0.2 is used to generate a schema that uses `@flexSearchFulltext`, users of that schema may be able to inject arbitrary AQL queries that will be forwarded to and executed by ArangoDB. Schemas that do not use `@flexSearchFulltext` are not affected. The attacker needs to have `READ` permission to at least one root entity type that has `@flexSearchFulltext` enabled. The issue has been fixed in version 3.0.2 and in version 2.7.0 of cruddl. As a workaround, users can temporarily remove `@flexSearchFulltext` from their schemas.

8.8 /10

CVSS v3.0 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://github.com/AEB-labs/cruddl/pull/253 Patch Third Party Advisory
https://github.com/AEB-labs/cruddl/commit/13b9233733ed6fc822718a07bc90a80cd3492698 Patch Third Party Advisory
https://github.com/AEB-labs/cruddl/security/advisories/GHSA-qm4w-4995-vg7f Vendor Advisory
Configurations

Configuration 1

cpe:2.3:a:aeb:cruddl:*:*:*:*:*:node.js:*:*
cpe:2.3:a:aeb:cruddl:*:*:*:*:*:node.js:*:*
Information

Published : 2022-09-08 10:15

Updated : 2022-09-13 07:54

NVD link : CVE-2022-36084

Mitre link : CVE-2022-36084

Products Affected
No products.
CWE
CWE-74