CVE-2024-57643
Description
An issue in the box_deserialize_string component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Virtuoso 7.2.11 crashes via crafted SQL when using box_deserialize_string, causing denial of service.
Vulnerability
The vulnerability resides in the box_deserialize_string component of OpenLink Virtuoso Open-Source v7.2.11 [1]. A specially crafted SQL statement, such as one containing a CASE expression with a subquery, triggers a crash in box_deserialize_string as shown in the backtrace [1]. The issue is reproducible on the latest branch [1].
Exploitation
An attacker can exploit this by executing a crafted SQL statement against a Virtuoso server. No authentication is required if the server accepts unauthenticated connections, or the attacker can use default credentials (e.g., dba with password dba). The provided PoC involves creating a table, inserting a row, and then executing a complex SELECT with GROUP BY and ORDER BY clauses that trigger the crash [1].
Impact
Successful exploitation causes a denial of service (DoS) by crashing the Virtuoso server process, leading to service interruption [1].
Mitigation
As of the publication date (2025-01-14), no official fix has been released [1]. The issue is reported on the project's issue tracker. Users should restrict network access to the Virtuoso server to trusted hosts only and monitor for updates from the vendor.
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.