CVE-2022-36084
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') in npm/cruddl
CVE-2022-36084, GHSA-qm4w-4995-vg7f
npm/cruddl
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
cruddl is software for creating a GraphQL API for a database, using the GraphQL SDL to model a schema. If cruddl starting with version 1.1.0 and prior to versions 2.7.0 and 3.0.2 is used to generate a schema that uses @flexSearchFulltext, users of that schema may be able to inject arbitrary AQL queries that will be forwarded to and executed by ArangoDB. Schemas that do not use @flexSearchFulltext are not affected. The attacker needs to have READ permission to at least one root entity type that has @flexSearchFulltext enabled. The issue has been fixed in version 3.0.2 and in version 2.7.0 of cruddl. As a workaround, users can temporarily remove @flexSearchFulltext from their schemas.
All versions starting from 1.1.0 before 2.7.0, all versions starting from 3.0.0 before 3.0.2
Upgrade to versions 2.7.0, 3.0.2 or above.
2022-09-13
| source |