CVE-2022-36084 in cruddl
Summary
by MITRE • 09/09/2022
cruddl is software for creating a GraphQL API for a database, using the GraphQL SDL to model a schema. If cruddl starting with version 1.1.0 and prior to versions 2.7.0 and 3.0.2 is used to generate a schema that uses `@flexSearchFulltext`, users of that schema may be able to inject arbitrary AQL queries that will be forwarded to and executed by ArangoDB. Schemas that do not use `@flexSearchFulltext` are not affected. The attacker needs to have `READ` permission to at least one root entity type that has `@flexSearchFulltext` enabled. The issue has been fixed in version 3.0.2 and in version 2.7.0 of cruddl. As a workaround, users can temporarily remove `@flexSearchFulltext` from their schemas.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 09/09/2022
The vulnerability CVE-2022-36084 represents a critical security flaw in cruddl, a software tool designed to generate GraphQL APIs for database systems using GraphQL SDL schema modeling. This issue specifically affects versions 1.1.0 through 2.6.9 and 3.0.0 through 3.0.1, creating a dangerous condition where arbitrary AQL queries can be injected and executed within the underlying ArangoDB system. The vulnerability is particularly concerning because it leverages the @flexSearchFulltext directive, which enables full-text search capabilities within the GraphQL schema, to create a path for unauthorized code execution. The flaw demonstrates a classic command injection vulnerability where user-controlled input flows directly into database execution contexts without proper sanitization or validation.
The technical implementation of this vulnerability stems from insufficient input validation within the cruddl schema generation process when processing the flexSearchFulltext directive. When users define schema elements with this directive, the tool fails to properly sanitize or escape user-provided search parameters before forwarding them to ArangoDB's AQL query engine. This creates an environment where malicious actors can craft specially crafted search queries that contain embedded AQL commands, which then execute with the privileges of the database connection. The vulnerability requires minimal prerequisites for exploitation, specifically requiring only READ permission to at least one root entity type that has flexSearchFulltext enabled, making it particularly dangerous in environments where users might have elevated access levels. The flaw aligns with CWE-94, which describes improper control of generation of code, and represents a code injection vulnerability that can be categorized under the ATT&CK framework as T1059.006 for Command and Scripting Interpreter - PowerShell.
The operational impact of this vulnerability extends beyond simple data theft, as it allows attackers to execute arbitrary database commands with potentially elevated privileges, depending on the database connection configuration. Successful exploitation could enable attackers to perform data manipulation, read sensitive information, modify database structures, or even escalate their privileges within the database environment. The vulnerability affects organizations using cruddl for API generation who have not yet upgraded to the patched versions, creating a window of opportunity for attackers to compromise database integrity and confidentiality. Organizations implementing cruddl with @flexSearchFulltext directives face particular risk since the vulnerability is directly tied to this specific schema element, making the attack surface more predictable for threat actors.
Mitigation strategies for CVE-2022-36084 include immediate upgrading to cruddl versions 2.7.0 or 3.0.2, which contain the necessary patches to address the input validation issues. Organizations should also implement the temporary workaround of removing @flexSearchFulltext directives from their schemas until the upgrade is complete, ensuring that no vulnerable search functionality remains active. Additional security measures include implementing robust input validation at the application level, monitoring database query logs for suspicious activity, and ensuring that database connections use minimal required privileges. The vulnerability highlights the importance of proper sanitization of user inputs in database query generation systems and serves as a reminder of the critical need for input validation in API development tools. Organizations should also consider implementing database activity monitoring solutions that can detect and alert on unusual query patterns that might indicate exploitation attempts. The fix addresses the root cause by implementing proper parameterization of database queries and ensuring that user inputs are properly escaped before being passed to the underlying database engine, thereby preventing the injection of malicious AQL commands through the GraphQL interface.