cruddl vulnerable to ArangoDB Query Language (AQL) injection through flexSearch

Impact

If a vunerable version of cruddl is used to generate a schema that uses @flexSearchFulltext, users of that schema may be able to inject arbitrary AQL queries that will be forwarded to and executed by ArangoDB.

Schemas that do not use @flexSearchFulltext are not affected.

The attacker needs to have READ permission to at least one root entity type that has @flexSearchFulltext enabled.

Patches

The issue has been fixed in version 3.0.2 and in version 2.7.0 of cruddl.

Workarounds

Users can temporarily remove @flexSearchFulltext from their schemas before they can update cruddl.

For more information

If you have any questions or comments about this advisory:

• Open an issue in cruddl
• Email us at [email protected]