CVE-2022-36084

Description

### Impact If a vunerable version of cruddl is used to generate a schema that uses `@flexSearchFulltext`, users of that schema may be able to inject arbitrary AQL queries that will be forwarded to and executed by ArangoDB. Schemas that do not use `@flexSearchFulltext` are not affected. The attacker needs to have `READ` permission to at least one root entity type that has `@flexSearchFulltext` enabled. ### Patches The issue has been fixed in version 3.0.2 and in version 2.7.0 of cruddl. ### Workarounds Users can temporarily remove `@flexSearchFulltext` from their schemas before they can update cruddl. ### For more information If you have any questions or comments about this advisory: * Open an issue in [cruddl](https://github.com/AEB-labs/cruddl) * Email us at [[email protected]](mailto:[email protected])

How to fix CVE-2022-36084

To remediate CVE-2022-36084, upgrade the affected package to a fixed version below.

• —upgrade to 3.0.2 or later

Is CVE-2022-36084 being exploited?

Low — EPSS is 1.0%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• >= 3.0.0, < 3.0.2

CVSS scores

References (5)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2022-36084
• PATCHgithub.com/AEB-labs/cruddl
• WEBgithub.com/AEB-labs/cruddl/commit/13b9233733ed6fc822718a07bc90a80cd3492698
• WEBgithub.com/AEB-labs/cruddl/pull/253
• WEB