CVE-2024-57634
Published: 14 January 2025
Summary
CVE-2024-57634 is a high-severity SQL Injection (CWE-89) vulnerability in Monetdb Monetdb. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 37.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates CWE-89 by validating crafted SQL statements to prevent DoS crashes in the exp_copy component of MonetDB Server.
Implements specific DoS protections against network-accessible crafted SQL attacks causing high availability impact without authentication.
Mandates timely flaw remediation for the specific vulnerability in MonetDB Server v11.49.1 to eliminate the exploitable condition.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables unauthenticated remote exploitation of a public-facing database server via malicious SQL to trigger application/system crash and DoS.
NVD Description
An issue in the exp_copy component of MonetDB Server v11.49.1 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.
Deeper analysisAI
CVE-2024-57634 is a vulnerability in the exp_copy component of MonetDB Server version 11.49.1 that enables attackers to trigger a Denial of Service (DoS) condition through specially crafted SQL statements. The issue has a CVSS v3.1 base score of 7.5, rated as High severity, with a vector of AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating network-based exploitation with low complexity, no authentication or user interaction required, and high impact on availability but no impact on confidentiality or integrity. It is associated with CWE-89 (Improper Neutralization of Special Elements used in an SQL Command).
Remote attackers without privileges can exploit this vulnerability by sending malicious SQL statements to a vulnerable MonetDB Server instance, causing it to crash or become unresponsive, resulting in a DoS. The attack requires no prior access or user involvement, making it accessible to unauthenticated adversaries over the network.
Details on the vulnerability, including potential mitigation steps, are documented in the project's GitHub issue tracker at https://github.com/MonetDB/MonetDB/issues/7435. Security practitioners should monitor this issue for official patches or workarounds from the MonetDB team.
Details
- CWE(s)