CVE-2022-36084

Name of the Vulnerable Software and Affected Versions cruddl versions 1.1.0 through 2.6.x cruddl versions 3.0.0 through 3.0.1

Description The issue affects cruddl when used to generate a schema that uses @flexSearchFulltext. Users of that schema may be able to inject arbitrary AQL queries that will be forwarded to and executed by ArangoDB. Schemas that do not use @flexSearchFulltext are not affected. The attacker needs to have READ permission to at least one root entity type that has @flexSearchFulltext enabled.

Recommendations For cruddl versions 1.1.0 through 2.6.x, update to version 2.7.0 to resolve the issue. For cruddl versions 3.0.0 through 3.0.1, update to version 3.0.2 to resolve the issue. As a temporary workaround, consider removing @flexSearchFulltext from your schemas until you can update cruddl.