CVE-2024-57647

Vulnerability

The vulnerability resides in the row_insert_cast component of OpenLink Virtuoso Open-Source version 7.2.11 [1]. A specially crafted SQL statement — provided as a proof of concept by the reporter — triggers a crash when processed by the database engine, leading to a denial of service. The affected version is explicitly v7.2.11, and the issue is reproducible in the beta Docker image [1].

Exploitation

An attacker requires the ability to execute arbitrary SQL statements against a Virtuoso instance running the vulnerable version. No special privileges beyond standard SQL access are needed; the provided PoC consists of a series of CREATE TABLE, INSERT, SELECT, and UPDATE statements that can be submitted by any authenticated database user [1]. The crash occurs during the execution of these statements, specifically within the row_insert_cast function (backtrace shows row_insert_cast+0x50 at frame #0) [1].

Impact

Successful exploitation causes the Virtuoso process to terminate, resulting in a denial of service (DoS) [1]. The attack directly impacts availability; no data confidentiality or integrity compromise is described in the available sources.

Mitigation

As of publication, no official fix or patched version has been released by OpenLink [1]. Users should monitor the referenced issue tracker [1] for updates. If immediate mitigation is required, restricting SQL execution privileges to trusted users may reduce the attack surface, but this is not a complete workaround.