CVE-2022-36084 - OpenCVE

cruddl is software for creating a GraphQL API for a database, using the GraphQL SDL to model a schema. If cruddl starting with version 1.1.0 and prior to versions 2.7.0 and 3.0.2 is used to generate a schema that uses `@flexSearchFulltext`, users of that schema may be able to inject arbitrary AQL queries that will be forwarded to and executed by ArangoDB. Schemas that do not use `@flexSearchFulltext` are not affected. The attacker needs to have `READ` permission to at least one root entity type that has `@flexSearchFulltext` enabled. The issue has been fixed in version 3.0.2 and in version 2.7.0 of cruddl. As a workaround, users can temporarily remove `@flexSearchFulltext` from their schemas.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Aeb	Cruddl

Configuration 1 [-]

OR	cpe:2.3:a:aeb:cruddl::::::node.js::*
	cpe:2.3:a:aeb:cruddl::::::node.js::*

References

Link	Resource
https://github.com/AEB-labs/cruddl/commit/13b9233733ed6fc822718a07bc90a80cd3492698	Patch Third Party Advisory
https://github.com/AEB-labs/cruddl/pull/253	Patch Third Party Advisory
https://github.com/AEB-labs/cruddl/security/advisories/GHSA-qm4w-4995-vg7f	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: GitHub_M

Published: 2022-09-08T21:15:13

Updated: 2022-09-08T21:15:13

Reserved: 2022-07-15T00:00:00

Link: CVE-2022-36084

JSON object: View

NVD Information

Status : Analyzed

Published: 2022-09-08T22:15:08.713

Modified: 2023-06-29T16:16:54.117

Link: CVE-2022-36084

JSON object: View

Redhat Information

No data.

CWE

{"containers": {"cna": {"affected": [{"product": "cruddl", "vendor": "AEB-labs", "versions": [{"status": "affected", "version": ">= 3.0.0, < 3.0.2"}, {"status": "affected", "version": ">= 1.1.0, < 2.7.0"}]}], "descriptions": [{"lang": "en", "value": "cruddl is software for creating a GraphQL API for a database, using the GraphQL SDL to model a schema. If cruddl starting with version 1.1.0 and prior to versions 2.7.0 and 3.0.2 is used to generate a schema that uses `@flexSearchFulltext`, users of that schema may be able to inject arbitrary AQL queries that will be forwarded to and executed by ArangoDB. Schemas that do not use `@flexSearchFulltext` are not affected. The attacker needs to have `READ` permission to at least one root entity type that has `@flexSearchFulltext` enabled. The issue has been fixed in version 3.0.2 and in version 2.7.0 of cruddl. As a workaround, users can temporarily remove `@flexSearchFulltext` from their schemas."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.9, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-943", "description": "CWE-943: Improper Neutralization of Special Elements in Data Query Logic", "lang": "en", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-74", "description": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-09-08T21:15:13", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/AEB-labs/cruddl/security/advisories/GHSA-qm4w-4995-vg7f"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/AEB-labs/cruddl/pull/253"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/AEB-labs/cruddl/commit/13b9233733ed6fc822718a07bc90a80cd3492698"}], "source": {"advisory": "GHSA-qm4w-4995-vg7f", "discovery": "UNKNOWN"}, "title": "cruddl vulnerable to AQL injection through flexSearch", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2022-36084", "STATE": "PUBLIC", "TITLE": "cruddl vulnerable to AQL injection through flexSearch"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "cruddl", "version": {"version_data": [{"version_value": ">= 3.0.0, < 3.0.2"}, {"version_value": ">= 1.1.0, < 2.7.0"}]}}]}, "vendor_name": "AEB-labs"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "cruddl is software for creating a GraphQL API for a database, using the GraphQL SDL to model a schema. If cruddl starting with version 1.1.0 and prior to versions 2.7.0 and 3.0.2 is used to generate a schema that uses `@flexSearchFulltext`, users of that schema may be able to inject arbitrary AQL queries that will be forwarded to and executed by ArangoDB. Schemas that do not use `@flexSearchFulltext` are not affected. The attacker needs to have `READ` permission to at least one root entity type that has `@flexSearchFulltext` enabled. The issue has been fixed in version 3.0.2 and in version 2.7.0 of cruddl. As a workaround, users can temporarily remove `@flexSearchFulltext` from their schemas."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.9, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-943: Improper Neutralization of Special Elements in Data Query Logic"}]}, {"description": [{"lang": "eng", "value": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')"}]}]}, "references": {"reference_data": [{"name": "https://github.com/AEB-labs/cruddl/security/advisories/GHSA-qm4w-4995-vg7f", "refsource": "CONFIRM", "url": "https://github.com/AEB-labs/cruddl/security/advisories/GHSA-qm4w-4995-vg7f"}, {"name": "https://github.com/AEB-labs/cruddl/pull/253", "refsource": "MISC", "url": "https://github.com/AEB-labs/cruddl/pull/253"}, {"name": "https://github.com/AEB-labs/cruddl/commit/13b9233733ed6fc822718a07bc90a80cd3492698", "refsource": "MISC", "url": "https://github.com/AEB-labs/cruddl/commit/13b9233733ed6fc822718a07bc90a80cd3492698"}]}, "source": {"advisory": "GHSA-qm4w-4995-vg7f", "discovery": "UNKNOWN"}}}}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2022-36084", "datePublished": "2022-09-08T21:15:13", "dateReserved": "2022-07-15T00:00:00", "dateUpdated": "2022-09-08T21:15:13", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:aeb:cruddl:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "B819657F-CBA8-42E1-A658-5DF74F6C2103", "versionEndExcluding": "2.7.0", "versionStartIncluding": "1.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:aeb:cruddl:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "A34E8018-8A03-44A6-8DD0-99BD8A879FAC", "versionEndExcluding": "3.0.2", "versionStartIncluding": "3.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "cruddl is software for creating a GraphQL API for a database, using the GraphQL SDL to model a schema. If cruddl starting with version 1.1.0 and prior to versions 2.7.0 and 3.0.2 is used to generate a schema that uses `@flexSearchFulltext`, users of that schema may be able to inject arbitrary AQL queries that will be forwarded to and executed by ArangoDB. Schemas that do not use `@flexSearchFulltext` are not affected. The attacker needs to have `READ` permission to at least one root entity type that has `@flexSearchFulltext` enabled. The issue has been fixed in version 3.0.2 and in version 2.7.0 of cruddl. As a workaround, users can temporarily remove `@flexSearchFulltext` from their schemas."}, {"lang": "es", "value": "cruddl es un software para crear una API GraphQL para una base de datos, usando GraphQL SDL para modelar un esquema. Si es usado cruddl a partir de la versi\u00f3n 1.1.0 y anteriores a 2.7.0 y 3.0.2, para generar un esquema que usa \"@flexSearchFulltext\", los usuarios de ese esquema pueden inyectar consultas AQL arbitrarias que ser\u00e1n reenviadas a y ejecutadas por ArangoDB. Los esquemas que no usan \"@flexSearchFulltext\" no est\u00e1n afectados. El atacante debe tener permiso \"READ\" para al menos un tipo de entidad root que tenga habilitado \"@flexSearchFulltext\". El problema ha sido corregido en versi\u00f3n 3.0.2 y en versi\u00f3n 2.7.0 de cruddl. Como mitigaci\u00f3n, los usuarios pueden eliminar temporalmente \"@flexSearchFulltext\" de sus esquemas"}], "id": "CVE-2022-36084", "lastModified": "2023-06-29T16:16:54.117", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.9, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 6.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2022-09-08T22:15:08.713", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/AEB-labs/cruddl/commit/13b9233733ed6fc822718a07bc90a80cd3492698"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/AEB-labs/cruddl/pull/253"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/AEB-labs/cruddl/security/advisories/GHSA-qm4w-4995-vg7f"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-74"}, {"lang": "en", "value": "CWE-943"}], "source": "security-advisories@github.com", "type": "Secondary"}]}