This is a summary of the AI-generated 10-question deep analysis. The full version (longer answers, follow-up Q&A, related CVEs) requires login. Read the full analysis β
Q1What is this vulnerability? (Essence + Consequences)
π¨ **Essence**: CraftCMS v3.7.31 & earlier has a **SQL Injection** flaw. π **Consequences**: Attackers can execute malicious SQL via the **GraphQL API**. This leads to potential data theft or system compromise.
Q2Root Cause? (CWE/Flaw)
π‘οΈ **Root Cause**: **SQL Injection (SQLi)**. Specifically, a **Time-based Blind SQLi**. The vulnerability lies in how the GraphQL API endpoint processes input without proper sanitization. β οΈ CWE ID not provided in data.
Q3Who is affected? (Versions/Components)
π― **Affected**: **CraftCMS** versions **v3.7.31 and earlier**. π¦ Component: The **GraphQL API endpoint**. Any instance running these versions is at risk.
π **Threshold**: **LOW**. The vulnerability is **Unauthenticated**. π« No login required. Attackers can exploit it directly via the `/api/` endpoint using standard HTTP POST requests. π Easy to trigger.
Q6Is there a public Exp? (PoC/Wild Exploitation)
π₯ **Public Exp?**: **YES**. π A POC is available on GitHub (`gsmith257-cyber/CVE-2024-37843-POC`). π§ͺ Proof-of-concept code exists demonstrating the time-based blind SQLi. π Nuclei templates also available for scanning.
Q7How to self-check? (Features/Scanning)
π **Self-Check**: Use **Nuclei** with the CVE-2024-37843 template. π‘ Send crafted JSON POST requests to `/api/` with malicious GraphQL queries. β±οΈ Look for time delays in response to confirm blind SQLi.β¦
π οΈ **Fix Status**: **YES**. π’ Vendor released a patch. β Upgrade to a version **newer than v3.7.31**. π Official mitigation is to apply the latest security update from CraftCMS.
Q9What if no patch? (Workaround)
π§ **No Patch?**: **Workaround**: Restrict access to the **GraphQL API endpoint** (`/api/`). π« Block external access via WAF or firewall rules. π Disable GraphQL if not strictly necessary.β¦
π₯ **Urgency**: **HIGH**. π¨ Unauthenticated SQLi is critical. π Low exploitation barrier + Public POC = High risk. πββοΈ **Action**: Patch immediately. Prioritize systems exposing the GraphQL API to the internet.