{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-21T11:03:07.097","vulnerabilities":[{"cve":{"id":"CVE-2022-36084","sourceIdentifier":"security-advisories@github.com","published":"2022-09-08T22:15:08.713","lastModified":"2024-11-21T07:12:20.937","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"cruddl is software for creating a GraphQL API for a database, using the GraphQL SDL to model a schema. If cruddl starting with version 1.1.0 and prior to versions 2.7.0 and 3.0.2 is used to generate a schema that uses `@flexSearchFulltext`, users of that schema may be able to inject arbitrary AQL queries that will be forwarded to and executed by ArangoDB. Schemas that do not use `@flexSearchFulltext` are not affected. The attacker needs to have `READ` permission to at least one root entity type that has `@flexSearchFulltext` enabled. The issue has been fixed in version 3.0.2 and in version 2.7.0 of cruddl. As a workaround, users can temporarily remove `@flexSearchFulltext` from their schemas."},{"lang":"es","value":"cruddl es un software para crear una API GraphQL para una base de datos, usando GraphQL SDL para modelar un esquema. Si es usado cruddl a partir de la versión 1.1.0 y anteriores a 2.7.0 y 3.0.2, para generar un esquema que usa \"@flexSearchFulltext\", los usuarios de ese esquema pueden inyectar consultas AQL arbitrarias que serán reenviadas a y ejecutadas por ArangoDB. Los esquemas que no usan \"@flexSearchFulltext\" no están afectados. El atacante debe tener permiso \"READ\" para al menos un tipo de entidad root que tenga habilitado \"@flexSearchFulltext\". El problema ha sido corregido en versión 3.0.2 y en versión 2.7.0 de cruddl. Como mitigación, los usuarios pueden eliminar temporalmente \"@flexSearchFulltext\" de sus esquemas"}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H","baseScore":9.9,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":3.1,"impactScore":6.0},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":8.8,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.8,"impactScore":5.9}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-74"},{"lang":"en","value":"CWE-943"}]},{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"NVD-CWE-Other"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:aeb:cruddl:*:*:*:*:*:node.js:*:*","versionStartIncluding":"1.1.0","versionEndExcluding":"2.7.0","matchCriteriaId":"B819657F-CBA8-42E1-A658-5DF74F6C2103"},{"vulnerable":true,"criteria":"cpe:2.3:a:aeb:cruddl:*:*:*:*:*:node.js:*:*","versionStartIncluding":"3.0.0","versionEndExcluding":"3.0.2","matchCriteriaId":"A34E8018-8A03-44A6-8DD0-99BD8A879FAC"}]}]}],"references":[{"url":"https://github.com/AEB-labs/cruddl/commit/13b9233733ed6fc822718a07bc90a80cd3492698","source":"security-advisories@github.com","tags":["Patch","Third Party Advisory"]},{"url":"https://github.com/AEB-labs/cruddl/pull/253","source":"security-advisories@github.com","tags":["Patch","Third Party Advisory"]},{"url":"https://github.com/AEB-labs/cruddl/security/advisories/GHSA-qm4w-4995-vg7f","source":"security-advisories@github.com","tags":["Vendor Advisory"]},{"url":"https://github.com/AEB-labs/cruddl/commit/13b9233733ed6fc822718a07bc90a80cd3492698","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch","Third Party Advisory"]},{"url":"https://github.com/AEB-labs/cruddl/pull/253","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch","Third Party Advisory"]},{"url":"https://github.com/AEB-labs/cruddl/security/advisories/GHSA-qm4w-4995-vg7f","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Vendor Advisory"]}]}}]}