CVE-2022-36084

CVSS V2 None CVSS V3 High 8.8
Description
cruddl is software for creating a GraphQL API for a database, using the GraphQL SDL to model a schema. If cruddl starting with version 1.1.0 and prior to versions 2.7.0 and 3.0.2 is used to generate a schema that uses `@flexSearchFulltext`, users of that schema may be able to inject arbitrary AQL queries that will be forwarded to and executed by ArangoDB. Schemas that do not use `@flexSearchFulltext` are not affected. The attacker needs to have `READ` permission to at least one root entity type that has `@flexSearchFulltext` enabled. The issue has been fixed in version 3.0.2 and in version 2.7.0 of cruddl. As a workaround, users can temporarily remove `@flexSearchFulltext` from their schemas.
Overview
  • CVE ID
  • CVE-2022-36084
  • Assigner
  • security-advisories@github.com
  • Vulnerability Status
  • Analyzed
  • Published Version
  • 2022-09-08T22:15:08
  • Last Modified Date
  • 2022-09-13T19:54:39
CPE Configuration (Product)
CPE Vulnerable Operator Version Start Version End
cpe:2.3:a:aeb:cruddl:*:*:*:*:*:node.js:*:* 1 OR 1.1.0 2.7.0
cpe:2.3:a:aeb:cruddl:*:*:*:*:*:node.js:*:* 1 OR 3.0.0 3.0.2
CVSS Version 3
  • Version
  • 3.1
  • Vector String
  • CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  • Attack Vector
  • NETWORK
  • Attack Compatibility
  • LOW
  • Privileges Required
  • LOW
  • User Interaction
  • NONE
  • Scope
  • UNCHANGED
  • Confidentiality Impact
  • HIGH
  • Availability Impact
  • HIGH
  • Base Score
  • 8.8
  • Base Severity
  • HIGH
  • Exploitability Score
  • 2.8
  • Impact Score
  • 5.9
History
Created Old Value New Value Data Type Notes
2022-09-08 23:00:08 Added to TrackCVE