CVE-2024-57630
Published: 14 January 2025
Summary
CVE-2024-57630 is a high-severity SQL Injection (CWE-89) vulnerability in Monetdb Monetdb. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 37.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2024-57630 is a denial-of-service vulnerability in the exps_card component of MonetDB Server version 11.49.1. The flaw allows attackers to trigger a DoS condition through specially crafted SQL statements, as classified under CWE-89 (Improper Neutralization of Special Elements used in an SQL Command). It has a CVSS v3.1 base score of 7.5, reflecting high severity due to its network accessibility, low attack complexity, lack of required privileges or user interaction, and significant impact on availability without affecting confidentiality or integrity.
Remote attackers without authentication can exploit this vulnerability by sending malicious SQL statements to a vulnerable MonetDB Server instance. Successful exploitation results in a denial of service, potentially crashing the server or exhausting resources, thereby disrupting legitimate database operations.
Details on the issue, including potential patches or workarounds, are documented in the MonetDB GitHub repository at https://github.com/MonetDB/MonetDB/issues/7439. Security practitioners should monitor this issue for official remediation guidance from the vendor.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-53662
Vulnerability details
An issue in the exps_card component of MonetDB Server v11.49.1 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated exploitation of public-facing DB server via crafted SQL input directly enables application exploitation for endpoint DoS.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates CWE-89 SQL injection by validating and sanitizing crafted SQL statement inputs to the exps_card component, preventing DoS exploitation.
Addresses the specific flaw in MonetDB v11.49.1 by requiring timely remediation through vendor patches or updates as documented in the GitHub issue.
Implements denial-of-service protections to counter resource exhaustion or crashes triggered by malicious SQL statements in the vulnerable server.