CVE-2022-36084 is a vulnerability in the AEB-labs cruddl software, which is used to create GraphQL APIs for databases by modeling schemas with the GraphQL SDL. The vulnerability specifically affects versions starting from 1.1.0 up to but not including 2.7.0, and versions from 3.0.0 up to but not including 3.0.2. The issue arises when schemas generated by cruddl use the `@flexSearchFulltext` directive. In such cases, users with READ permissions on at least one root entity type that has `@flexSearchFulltext` enabled can inject arbitrary ArangoDB Query Language (AQL) queries. These injected queries are forwarded and executed by ArangoDB, potentially allowing unauthorized data access or manipulation. Schemas that do not use the `@flexSearchFulltext` directive are not vulnerable. The vulnerability is categorized under CWE-943 (Improper Neutralization of Special Elements in Data Query Logic) and CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component Injection), indicating that the root cause is insufficient sanitization of input data that is incorporated into database queries. The vulnerability does not require elevated privileges beyond READ access to the affected entity types, but it does require that the attacker has some level of access to the system. No known exploits in the wild have been reported to date. The issue has been fixed in cruddl versions 2.7.0 and 3.0.2. As a temporary mitigation, users can remove the `@flexSearchFulltext` directive from their schemas to prevent exploitation.

For European organizations using cruddl in the affected versions with schemas employing `@flexSearchFulltext`, this vulnerability could lead to unauthorized execution of arbitrary AQL queries on their ArangoDB databases. This can compromise the confidentiality and integrity of sensitive data stored within these databases. Attackers with READ permissions could escalate their access by injecting queries that extract or manipulate data beyond their intended scope. This could result in data breaches, data corruption, or unauthorized data disclosure. The availability impact is likely limited but could occur if injected queries are crafted to degrade database performance or cause denial of service. Given that cruddl is used to expose GraphQL APIs, which are often accessible over networks, the attack surface includes external attackers if READ permissions are improperly assigned or internal attackers with limited privileges. The medium severity rating reflects the moderate ease of exploitation (requiring READ access and use of a specific schema directive) and the potential for significant data compromise. European organizations in sectors with high reliance on GraphQL APIs and ArangoDB, such as technology companies, financial institutions, and public sector entities, could be particularly impacted if they have not updated to patched versions or applied mitigations.

1. Upgrade cruddl to version 2.7.0 or later (for 1.x and 2.x branches) or 3.0.2 or later (for 3.x branch) to apply the official fix for this vulnerability. 2. If immediate upgrading is not feasible, remove the `@flexSearchFulltext` directive from all GraphQL schemas to disable the vulnerable functionality temporarily. 3. Review and restrict READ permissions on root entity types with `@flexSearchFulltext` enabled to only trusted users to minimize the risk of exploitation. 4. Implement strict input validation and sanitization at the application layer to detect and block suspicious query patterns that could indicate injection attempts. 5. Monitor ArangoDB query logs for unusual or unexpected AQL queries that could signal exploitation attempts. 6. Conduct a security audit of GraphQL API usage and permissions to ensure least privilege principles are enforced. 7. Educate developers and administrators about the risks associated with `@flexSearchFulltext` and the importance of timely patching. 8. Consider deploying Web Application Firewalls (WAFs) with custom rules to detect and block injection patterns targeting GraphQL endpoints.