CVE-2023-48952

Vulnerability

The vulnerability resides in the box_deserialize_reusing function in OpenLink Virtuoso Open-Source v7.2.11. A crafted SELECT statement that includes a UNION with a CASE expression containing a malformed tuple literal (e.g., ((32433852.000000, 70038895.000000), (64572024.000000, 4442219.000000))) triggers a crash during query execution. The issue is reproducible with a simple SQL PoC that creates a table, inserts a row, and runs the malformed query [1].

Exploitation

An attacker needs only network access to a running Virtuoso instance (default port 1111) and valid credentials (e.g., dba). The provided PoC uses isql to execute the crafted SQL. The attacker creates a table, inserts data, and then runs the malicious SELECT statement. The crash occurs immediately upon execution, with a stack trace showing the fault in box_deserialize_reusing [1].

Impact

Successful exploitation causes a Denial of Service (DoS) — the Virtuoso server process crashes. The vulnerability does not appear to allow code execution or data leakage; the impact is limited to availability loss for the database service until the server is restarted [1].

Mitigation

As of the publication date of this CVE (2023-11-29), no patched version has been released. The issue is tracked in the project’s issue tracker [1]. Users should monitor the vendor for updates. There is no known workaround; blocking untrusted SQL input or restricting network access to trusted users reduces the attack surface.