10

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-36084

GHSA ID

GHSA-qm4w-4995-vg7f

EPSS Score

0.75858%

CWE

CWE-74

Published

9/16/2022

Updated

1/27/2023

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-36084

CVE-2022-36084: cruddl vulnerable to ArangoDB Query Language (AQL) injection through flexSearch

Impact

If a vunerable version of cruddl is used to generate a schema that uses @flexSearchFulltext, users of that schema may be able to inject arbitrary AQL queries that will be forwarded to and executed by ArangoDB.

Schemas that do not use @flexSearchFulltext are not affected.

The attacker needs to have READ permission to at least one root entity type that has @flexSearchFulltext enabled.

Patches

The issue has been fixed in version 3.0.2 and in version 2.7.0 of cruddl.

Workarounds

Users can temporarily remove @flexSearchFulltext from their schemas before they can update cruddl.

For more information

If you have any questions or comments about this advisory:

Open an issue in cruddl
Email us at security@aeb.com

(GitHub Advisory)

10

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-36084

GHSA ID

GHSA-qm4w-4995-vg7f

EPSS Score

0.75858%

CWE

CWE-74

Published

9/16/2022

Updated

1/27/2023

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
cruddl	npm	>= 3.0.0, < 3.0.2	3.0.2
cruddl	npm	>= 1.1.0, < 2.7.0	2.7.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from improper AQL query construction in generateTokenizationQuery. The commit diff shows the function was modified from unsafe string interpolation (TOKENS("${value.expression}", ...)) to parameterized aql-tagged templates. This matches the CWE-74 injection pattern described in the advisory, where user-controlled inputs were not neutralized before being used in downstream AQL queries. The arangodb-adapter.ts changes demonstrate the transition from raw query execution to using parameterized boundValues, confirming the injection vector was in query generation.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t I* * vun*r**l* v*rsion o* *ru**l is us** to **n*r*t* * s***m* t**t us*s `@*l*xS**r***ullt*xt`, us*rs o* t**t s***m* m*y ** **l* to inj**t *r*itr*ry *QL qu*ri*s t**t will ** *orw*r*** to *n* *x**ut** *y *r*n*o**. S***m*s t**t *o not us* `

Reasoning

T** vuln*r**ility st*ms *rom improp*r *QL qu*ry *onstru*tion in **n*r*t*Tok*niz*tionQu*ry. T** *ommit *i** s*ows t** *un*tion w*s mo*i*i** *rom uns*** strin* int*rpol*tion (`TOK*NS("${v*lu*.*xpr*ssion}", ...)`) to p*r*m*t*riz** *ql-t***** t*mpl*t*s.

10

Basic Information

Concerned about an active attack path?

CVE-2022-36084: cruddl vulnerable to ArangoDB Query Language (AQL) injection through flexSearch

Impact

Patches

Workarounds

For more information

10

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI