1. What is this vulnerability and why does it matter?

CVE-2024-37843 is a critical SQL injection vulnerability affecting Craft CMS versions up to and including v3.7.31. This flaw exists within the GraphQL API endpoint. It matters significantly because it allows unauthenticated remote attackers to execute arbitrary SQL queries against the underlying database. Successful exploitation can lead to a complete compromise of data confidentiality, integrity, and availability, including sensitive data exfiltration and potential remote code execution in some configurations. The existence of published active exploits further elevates its importance, making it an immediate and severe threat to affected systems.

2. What are the CVSS score, severity level, and disclosure details?

The CVSS (Common Vulnerability Scoring System) Base Score for CVE-2024-37843 is 9.8. This score assigns a severity level of CRITICAL to the vulnerability. The vulnerability was first published by the National Vulnerability Database (NVD) and the GitHub Advisory Database on June 25, 2024. The NVD record was last modified on August 2, 2024, and the GitHub Advisory Database record was reviewed on July 19, 2024.

3. Which products, vendors, systems, and versions are affected?

4. What is the technical root cause and attack vector?

The technical root cause of CVE-2024-37843 is an Improper Neutralization of Special Elements used in an SQL Command, commonly known as SQL Injection (CWE-89). Specifically, the vulnerability arises in the GraphQL query processing logic where user-controlled parameters, such as 'orderBy', are directly incorporated into SQL queries without adequate sanitization or validation. The attack vector is network-based, targeting the GraphQL API endpoint of the Craft CMS application.

5. How can this vulnerability be exploited?

This vulnerability can be exploited by an unauthenticated attacker who crafts and sends malicious GraphQL queries containing SQL injection payloads to the vulnerable Craft CMS GraphQL API endpoint. The lack of proper input validation allows the injected SQL commands to be processed and executed by the backend database. Since no authentication or user interaction is required, any Craft CMS installation with GraphQL enabled and accessible over the network is susceptible to exploitation. Successful exploitation can lead to unauthorized database access, data manipulation, and potentially broader system compromise.

6. What mitigation steps and patches are available?

The primary mitigation step is to update Craft CMS to a version later than v3.7.31. This ensures that the patch addressing the SQL injection vulnerability is applied. In addition to patching, general mitigation strategies include:

• Implementing Web Application Firewalls (WAFs) to detect and block malicious SQL injection attempts.
• Ensuring robust input validation is in place for all user-supplied data, especially within API endpoints.
• Following the principle of least privilege for database accounts and application permissions.

7. How can vulnerable systems be detected?

Vulnerable systems can be detected by identifying the version of Craft CMS running on the server. Any installation of Craft CMS at version v3.7.31 or older is considered vulnerable. Automated security scanning tools, particularly those capable of identifying SQL injection vulnerabilities in GraphQL API endpoints, can also be employed to detect susceptible systems. Regular software inventory and version checks are crucial for identifying outdated installations.

8. What are the indicators of compromise (IOCs)?

Indicators of Compromise (IOCs) for this vulnerability may include:

• Unusual or unexpected SQL queries observed in database logs.
• Unauthorized data modifications or deletions within the Craft CMS database.
• Evidence of sensitive data exfiltration from the database.
• Suspicious or anomalous network traffic directed at the GraphQL API endpoint.
• Presence of known SQL injection payloads or error messages indicating SQL errors in web server or application logs.
• Unauthorized user accounts or changes to existing user privileges within the Craft CMS application.

9. Which threat actors are known to exploit this vulnerability?

While the provided information states that "Active exploits have been published to exploit the vulnerability," specific threat actors or groups known to be exploiting CVE-2024-37843 are not named in the available data.

10. What public intelligence references and advisories exist?

Public intelligence references and advisories for CVE-2024-37843 include:

• CVE Record: CVE-2024-37843, available on the National Vulnerability Database (NVD) and GitHub Advisory Database.
• CWE: CWE-89, identifying the vulnerability as an Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection').
• Security Advisories and Blogs:
• Miggo Security blog post detailing Craft CMS GraphQL API SQLi.
• Information from the Vulnerability & Exploit Database.
• Advisories from security vendors like SentinelOne.

11. What is the risk assessment and urgency level?

The risk assessment for CVE-2024-37843 is CRITICAL due to its CVSS Base Score of 9.8. This unauthenticated SQL injection vulnerability via the GraphQL API allows remote attackers to fully compromise the database, leading to high impacts on confidentiality, integrity, and availability. Given the critical severity and the confirmed existence of active exploits, the urgency level for addressing this vulnerability is IMMEDIATE. Organizations running affected versions of Craft CMS must apply the necessary patches without delay to prevent potential compromise.