CVE-2024-37843 – CVE-2024-37843 is an unauthenticated SQL inject... (How to Fix)

📋 TL;DR

CVE-2024-37843 is an unauthenticated SQL injection vulnerability in Craft CMS's GraphQL API endpoint. Attackers can execute arbitrary SQL commands without authentication, potentially compromising the entire database. All Craft CMS installations up to version 3.7.31 are affected.

💻 Affected Systems

Products:

Craft CMS

Versions: All versions up to and including 3.7.31

Operating Systems: All platforms running Craft CMS

Default Config Vulnerable: ⚠️ Yes

Notes: All default installations with GraphQL API enabled are vulnerable. GraphQL is enabled by default in Craft CMS.

📦 What is this software?

Craft Cms by Craftcms

View all CVEs affecting Craft Cms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including data theft, data manipulation, privilege escalation, and potential remote code execution via database functions.

🟠

Likely Case

Database information disclosure, data manipulation, and potential administrative access to the CMS.

🟢

If Mitigated

Limited impact if GraphQL API is disabled or properly firewalled, though the vulnerability still exists in the codebase.

🌐 Internet-Facing: HIGH - The GraphQL endpoint is typically exposed to the internet and requires no authentication.

🏢 Internal Only: MEDIUM - Internal attackers could exploit this, but external exposure presents greater risk.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public technical details and proof-of-concept are available. The vulnerability requires no authentication and is straightforward to exploit.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.7.32 and later

Vendor Advisory: https://craftcms.com/security

Restart Required: No

Instructions:

1. Update Craft CMS to version 3.7.32 or later via Composer: composer require craftcms/cms:^3.7.32
2. Run any required database migrations
3. Clear caches if necessary

🔧 Temporary Workarounds

Disable GraphQL API

all

Temporarily disable the GraphQL API endpoint until patching is possible

Edit config/general.php and set 'enableGraphql' => false

Restrict GraphQL Access

linux

Use web server rules to restrict access to the GraphQL endpoint

For Apache: add location block for /api in .htaccess
For Nginx: add location block for /api in server config

🧯 If You Can't Patch

Implement WAF rules to block SQL injection patterns targeting GraphQL endpoints
Restrict network access to the Craft CMS instance using firewall rules

🔍 How to Verify

Check if Vulnerable:

Check Craft CMS version in admin panel or via composer show craftcms/cms

Check Version:

composer show craftcms/cms | grep versions

Verify Fix Applied:

Confirm version is 3.7.32 or later and test GraphQL endpoint with known payloads

📡 Detection & Monitoring

Log Indicators:

Unusual GraphQL queries with SQL syntax
Multiple failed GraphQL requests with injection patterns
Database error logs showing SQL syntax errors

Network Indicators:

POST requests to /api containing SQL keywords in GraphQL queries
Unusual traffic patterns to GraphQL endpoint

SIEM Query:

source="web_logs" AND (uri_path="/api" OR uri_path="/graphql") AND (request_body CONTAINS "UNION" OR request_body CONTAINS "SELECT *" OR request_body CONTAINS "information_schema")

📊 Metadata

CVE ID: CVE-2024-37843

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

Published: June 25, 2024

Last Updated: November 21, 2024

🔗 References

https://blog.smithsecurity.biz/craft-cms-unauthenticated-sqli-via-graphql Broken Link
https://blog.smithsecurity.biz/craft-cms-unauthenticated-sqli-via-graphql Broken Link

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-37843, you might also want to check these: