Login Sign Up

CVE-2024-57652

7.5 HIGH
SQL Injection Denial of Service

📋 TL;DR

This SQL injection vulnerability in OpenLink Virtuoso's numeric_to_dv component allows attackers to execute crafted SQL statements that cause denial of service. It affects systems running vulnerable versions of Virtuoso OpenSource. Database administrators and applications using Virtuoso as their backend are at risk.

💻 Affected Systems

Products:
  • OpenLink Virtuoso OpenSource
Versions: v7.2.11 and potentially earlier versions
Operating Systems: All platforms running Virtuoso
Default Config Vulnerable: ⚠️ Yes
Notes: Any Virtuoso installation with SQL endpoint accessible to untrusted users is vulnerable.

📦 What is this software?

Virtuoso by Openlinksw

View all CVEs affecting Virtuoso →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database unavailability through resource exhaustion or crash, affecting all dependent applications and services.

🟠

Likely Case

Service degradation or temporary unavailability of the Virtuoso database instance.

🟢

If Mitigated

Minimal impact with proper input validation, query parameterization, and network segmentation in place.

🌐 Internet-Facing: HIGH - Internet-facing Virtuoso instances are directly exposed to attack attempts.
🏢 Internal Only: MEDIUM - Internal systems could be exploited by authenticated users or through compromised internal hosts.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Requires ability to execute SQL statements against the vulnerable component. Likely requires some level of database access.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check GitHub issue for latest patched version

Vendor Advisory: https://github.com/openlink/virtuoso-opensource/issues/1198

Restart Required: No

Instructions:

1. Monitor the GitHub issue for official patch release. 2. Apply the patch when available. 3. Test in non-production environment first. 4. Deploy to production systems.

🔧 Temporary Workarounds

Input Validation and Parameterization

all

Implement strict input validation and use parameterized queries for all SQL statements.

Network Access Restrictions

all

Restrict network access to Virtuoso SQL endpoints to trusted sources only.

🧯 If You Can't Patch

  • Implement strict input validation and parameterized queries in all applications using Virtuoso
  • Restrict database access to only necessary users and applications using principle of least privilege

🔍 How to Verify

Check if Vulnerable:

Check Virtuoso version and compare against vulnerable versions. Review if numeric_to_dv component is exposed.

Check Version:

SELECT sys_stat('st_dbms_version');

Verify Fix Applied:

Verify version is updated beyond vulnerable version. Test with safe SQL queries to ensure functionality.

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL query patterns
  • Multiple failed query attempts
  • Resource exhaustion warnings
  • Database crash/restart events

Network Indicators:

  • Unusual SQL traffic patterns to database port
  • Multiple connection attempts with crafted SQL

SIEM Query:

source="virtuoso.log" AND ("error" OR "crash" OR "denial" OR "resource")

📊 Metadata

CVE ID: CVE-2024-57652
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-89
EPSS Score: 0.92% exploit probability (75.6th percentile)
Published: January 14, 2025
Last Updated: April 17, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-57652, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)