CVE-2022-30331

The User-Defined Functions (UDF) feature in TigerGraph 3.6.0 allows installation of a query (in the GSQL query language) without proper validation. Consequently, an attacker can execute arbitrary C++ code. NOTE: the vendor's position is "GSQL was behaving as expected."

CVSS v3 8.8 HIGH

8.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://docs.tigergraph.com/home/	Product Vendor Advisory
https://docs.tigergraph.com/home/cve-2022-30331	Vendor Advisory
https://neo4j.com/security/cve-2022-30331/	Third Party Advisory
https://docs.tigergraph.com/home/	Product Vendor Advisory
https://docs.tigergraph.com/home/cve-2022-30331	Vendor Advisory
https://neo4j.com/security/cve-2022-30331/	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:tigergraph:tigergraph:3.6.0:*:*:*:*:*:*:*

History

No history.

Information

Published : 2022-09-05 16:15

Updated : 2024-11-21 07:02

NVD link : CVE-2022-30331

Mitre link : CVE-2022-30331

CVE.ORG link : CVE-2022-30331

JSON object : View

Products Affected

tigergraph

tigergraph

CWE

CWE-20

Improper Input Validation

{"id": "CVE-2022-30331", "cveTags": [{"tags": ["disputed"], "sourceIdentifier": "cve@mitre.org"}], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2022-09-05T16:15:08.450", "references": [{"url": "https://docs.tigergraph.com/home/", "tags": ["Product", "Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "https://docs.tigergraph.com/home/cve-2022-30331", "tags": ["Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "https://neo4j.com/security/cve-2022-30331/", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://docs.tigergraph.com/home/", "tags": ["Product", "Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://docs.tigergraph.com/home/cve-2022-30331", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://neo4j.com/security/cve-2022-30331/", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-20"}]}], "descriptions": [{"lang": "en", "value": "The User-Defined Functions (UDF) feature in TigerGraph 3.6.0 allows installation of a query (in the GSQL query language) without proper validation. Consequently, an attacker can execute arbitrary C++ code. NOTE: the vendor's position is \"GSQL was behaving as expected.\""}, {"lang": "es", "value": "** EN DISPUTA ** La funcionalidad de Funciones Definidas por el Usuario (UDF) en TigerGraph versi\u00f3n 3.6.0, permite una instalaci\u00f3n de una consulta (en el lenguaje de consulta GSQL) sin la comprobaci\u00f3n apropiada. En consecuencia, un atacante puede ejecutar c\u00f3digo C++ arbitrario. NOTA: la posici\u00f3n del proveedor es \"GSQL era comportada como era esperado\""}], "lastModified": "2024-11-21T07:02:36.307", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:tigergraph:tigergraph:3.6.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "EF79797A-59E3-49A7-A7F5-CBCC064BAF48"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}