CVE-2024-57654

HighPublic PoC

Published: 14 January 2025

Published

14 January 2025

Modified

17 April 2025

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Score 0.0027 50.9th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Description

An issue in the qst_vec_get_int64 component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.

Security Summary

CVE-2024-57654 is a denial-of-service vulnerability in the qst_vec_get_int64 component of OpenLink Virtuoso OpenSource version 7.2.11. The flaw allows attackers to trigger a DoS condition through specially crafted SQL statements, stemming from CWE-404 (Improper Resource Shutdown or Denial of Service). It has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high severity due to its network accessibility, low complexity, lack of required privileges or user interaction, and significant impact on availability.

Remote, unauthenticated attackers can exploit this vulnerability by sending malicious SQL statements to a vulnerable Virtuoso instance. Successful exploitation disrupts service availability, potentially crashing the server or rendering it unresponsive without affecting confidentiality or integrity.

For mitigation details, refer to the advisory in the GitHub issue at https://github.com/openlink/virtuoso-opensource/issues/1205.

Details

CWE(s): CWE-404

Affected Products

openlinksw

virtuoso

7.2.11

References

https://github.com/openlink/virtuoso-opensource/issues/1205
Exploit, Issue Tracking, Vendor Advisory · cve@mitre.org