Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
cruddl vulnerable to AQL injection through flexSearch
Vulnerability Description
cruddl is software for creating a GraphQL API for a database, using the GraphQL SDL to model a schema. If cruddl starting with version 1.1.0 and prior to versions 2.7.0 and 3.0.2 is used to generate a schema that uses `@flexSearchFulltext`, users of that schema may be able to inject arbitrary AQL queries that will be forwarded to and executed by ArangoDB. Schemas that do not use `@flexSearchFulltext` are not affected. The attacker needs to have `READ` permission to at least one root entity type that has `@flexSearchFulltext` enabled. The issue has been fixed in version 3.0.2 and in version 2.7.0 of cruddl. As a workaround, users can temporarily remove `@flexSearchFulltext` from their schemas.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Vulnerability Type
数据查询逻辑中特殊元素的不当中和
Vulnerability Title
cruddl 安全漏洞
Vulnerability Description
cruddl是德国AEB开源的一个库。用于为您的数据库创建一个 GraphQL API,使用 GraphQL SDL 为您的架构建模。 cruddl 存在安全漏洞,攻击者利用该漏洞可以能够注入任意 AQL 查询,这些查询将被转发到 ArangoDB 并由 ArangoDB 执行。
CVSS Information
N/A
Vulnerability Type
N/A